CVE-2018-8009: Path Traversal in Hadoop
8.8
CVSS Score
3.0
Basic Information
CVE ID
GHSA ID
EPSS Score
0.91972%
CWE
Published
12/21/2018
Updated
3/4/2024
KEV Status
No
Technology
Java
Technical Details
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
org.apache.hadoop:hadoop-main | maven | = 3.1.0 | 3.1.1 |
org.apache.hadoop:hadoop-main | maven | >= 3.0.0, < 3.0.3 | 3.0.3 |
org.apache.hadoop:hadoop-main | maven | >= 2.9.0, < 2.9.2 | 2.9.2 |
org.apache.hadoop:hadoop-main | maven | >= 2.8.0, < 2.8.5 | 2.8.5 |
org.apache.hadoop:hadoop-main | maven | < 2.7.7 | 2.7.7 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from improper path validation during archive extraction. The commit diff shows critical security checks were added to both unZip and unpackEntries functions to prevent path traversal via canonical path validation. The CVE description explicitly references zip file handling as the attack vector, and the added test cases (testUnZip2) demonstrate exploitation attempts using '../' paths. These functions were directly modified in the patch to address the vulnerability.