oss-sec mailing list archives
[CVE-2020-9479] Directory traversal vulnerability in Apache AsterixDB
From: Ian Maxon <imaxon () apache org>
Date: Fri, 7 Aug 2020 17:27:04 -0700
CVE-2020-9479: AsterixDB directory traversal Severity: Important Vendor: The Apache Software Foundation Versions Affected: None released, git commits 580b81aa5e8888b8e1b0620521a1c9680e54df73 to 28c0ee84f1387ab5d0659e9e822f4e3923ddc22d , fixed in 28c0ee84f1387ab5d0659e9e822f4e3923ddc22d and mitigated by 694ffd194ce5c6e610f61368c1511778d0bff254 Description: When loading a UDF, a specially crafted zip file could allow files to be placed outside of the UDF deployment directory. Mitigation: Upgrade unreleased versions past 28c0ee84f1387ab5d0659e9e822f4e3923ddc22d or to 0.9.5 . Don't allow untrusted access to the UDF endpoint. Example: The zip file will contain a directory entry named ".." Credit: This issue was discovered by Yiming Xiang of NSFOCUS
Current thread:
- [CVE-2020-9479] Directory traversal vulnerability in Apache AsterixDB Ian Maxon (Aug 08)