CVE-2018-8008
ZipSlip in org.apache.storm:storm-core
5.5
MEDIUM
CVSS 3.1
EPSS 15.3%
Description
Apache Storm version 1.0.6 and earlier, 1.2.1 and earlier, and version 1.1.2 and earlier expose an arbitrary file write vulnerability, that can be achieved using a specially crafted zip archive (affects other archives as well, bzip2, tar, xz, war, cpio, 7z), that holds path traversal filenames. So when the filename gets concatenated to the target extraction directory, the final path ends up outside of the target folder.
How to fix CVE-2018-8008
To remediate CVE-2018-8008, upgrade the affected package to a fixed version below.
- —upgrade to 1.1.3 or later
Is CVE-2018-8008 being exploited?
Moderate — EPSS is 15.3%. Track this CVE but it's not at the top of the prioritisation list.
Affected packages (1)
- >= 1.1.0, < 1.1.3
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.5 | CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N |