[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] [CVE-2020-9479] Directory traversal vulnerability in Apache AsterixDB
From: Ian Maxon <imaxon () apache ! org>
Date: 2020-08-08 0:27:04
Message-ID: CAKMqrge9afTtC-oF6b6-sn6dN-4+QNHSmt50eA54mMnP=vCzzw () mail ! gmail ! com
[Download RAW message or body]
CVE-2020-9479: AsterixDB directory traversal
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected: None released, git commits
580b81aa5e8888b8e1b0620521a1c9680e54df73 to
28c0ee84f1387ab5d0659e9e822f4e3923ddc22d ,
fixed in 28c0ee84f1387ab5d0659e9e822f4e3923ddc22d and mitigated by
694ffd194ce5c6e610f61368c1511778d0bff254
Description: When loading a UDF, a specially crafted zip file could
allow files to be placed outside of the UDF deployment directory.
Mitigation: Upgrade unreleased versions past
28c0ee84f1387ab5d0659e9e822f4e3923ddc22d or to 0.9.5 .
Don't allow untrusted access to the UDF endpoint.
Example: The zip file will contain a directory entry named ".."
Credit: This issue was discovered by Yiming Xiang of NSFOCUS
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic