CVE-2022-25168

{"id": "CVE-2022-25168", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2022-08-04T15:15:08.343", "references": [{"url": "https://lists.apache.org/thread/mxqnb39jfrwgs3j6phwvlrfq4mlox130", "tags": ["Mailing List", "Vendor Advisory"], "source": "security@apache.org"}, {"url": "https://security.netapp.com/advisory/ntap-20220915-0007/", "tags": ["Third Party Advisory"], "source": "security@apache.org"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "security@apache.org", "description": [{"lang": "en", "value": "CWE-78"}]}, {"type": "Secondary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-78"}]}], "descriptions": [{"lang": "en", "value": "Apache Hadoop's FileUtil.unTar(File, File) API does not escape the input file name before being passed to the shell. An attacker can inject arbitrary commands. This is only used in Hadoop 3.3 InMemoryAliasMap.completeBootstrapTransfer, which is only ever run by a local user. It has been used in Hadoop 2.x for yarn localization, which does enable remote code execution. It is used in Apache Spark, from the SQL command ADD ARCHIVE. As the ADD ARCHIVE command adds new binaries to the classpath, being able to execute shell scripts does not confer new permissions to the caller. SPARK-38305. \"Check existence of file before untarring/zipping\", which is included in 3.3.0, 3.1.4, 3.2.2, prevents shell commands being executed, regardless of which version of the hadoop libraries are in use. Users should upgrade to Apache Hadoop 2.10.2, 3.2.4, 3.3.3 or upper (including HADOOP-18136)."}, {"lang": "es", "value": "La API FileUtil.unTar(File, File) de Apache Hadoop no escapa el nombre del archivo de entrada antes de pasarlo al shell. Un atacante puede inyectar comandos arbitrarios. Esto s\u00f3lo es usado en Hadoop versi\u00f3n 3.3 InMemoryAliasMap.completeBootstrapTransfer, que s\u00f3lo es ejecutado un usuario local. Se ha usado en Hadoop versi\u00f3n 2.x para la localizaci\u00f3n de hilos, que s\u00ed permite una ejecuci\u00f3n de c\u00f3digo remota . Es usado en Apache Spark, desde el comando SQL ADD ARCHIVE. Como el comando ADD ARCHIVE a\u00f1ade nuevos binarios al classpath, el hecho de poder ejecutar scripts de shell no confiere nuevos permisos a quien lo llama. SPARK-38305. \"Comprobar la existencia de un archivo antes de desarchivar/comprimir\", que es incluida en versiones 3.3.0, 3.1.4 y 3.2.2, impide la ejecuci\u00f3n de comandos de shell, independientemente de la versi\u00f3n de las bibliotecas de Hadoop que se est\u00e9 usando. Los usuarios deben actualizar a Apache Hadoop versiones 2.10.2, 3.2.4, 3.3.3 o superior (incluyendo HADOOP-18136)"}], "lastModified": "2023-06-26T11:15:09.370", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:apache:hadoop:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "689ABB50-04DB-4449-8750-CBE9346F19AA", "versionEndIncluding": "2.10.1", "versionStartIncluding": "2.0.0"}, {"criteria": "cpe:2.3:a:apache:hadoop:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B2D7FBED-F7AB-4BA8-BD85-3638AF05A445", "versionEndIncluding": "3.2.3", "versionStartIncluding": "3.0.0"}, {"criteria": "cpe:2.3:a:apache:hadoop:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FF92F83A-F36C-4DED-8807-1292704B4AB8", "versionEndIncluding": "3.3.2", "versionStartIncluding": "3.3.0"}], "operator": "OR"}]}], "sourceIdentifier": "security@apache.org"}