CVE-2018-8008

Name of the Vulnerable Software and Affected Versions: Apache Storm versions 1.0.6 and earlier Apache Storm versions 1.2.1 and earlier Apache Storm version 1.1.2 and earlier

Description: The issue allows for an arbitrary file write, which can be achieved by using a specially crafted zip archive, as well as other archives like bzip2, tar, xz, war, cpio, and 7z. These archives can contain path traversal filenames. When the filename is concatenated to the target extraction directory, the final path ends up outside of the target folder.

Recommendations: For Apache Storm versions 1.0.6 and earlier, update to a version later than 1.0.6 to resolve the issue. For Apache Storm versions 1.2.1 and earlier, update to a version later than 1.2.1 to resolve the issue. For Apache Storm version 1.1.2 and earlier, update to a version later than 1.1.2 to resolve the issue. As a temporary workaround, consider restricting the use of archive files, especially those with path traversal filenames, until a patch is available.