cassandra-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Abhishek Singh (Jira)" <j...@apache.org>
Subject [jira] [Created] (CASSANDRA-15419) sonatype-2013-0069(The setuptools package is vulnerable to Directory Traversal) on Cassendra 3.11.4
Date Wed, 13 Nov 2019 06:29:00 GMT
Abhishek Singh created CASSANDRA-15419:
------------------------------------------

             Summary: sonatype-2013-0069(The setuptools package is vulnerable to Directory
Traversal) on Cassendra 3.11.4
                 Key: CASSANDRA-15419
                 URL: https://issues.apache.org/jira/browse/CASSANDRA-15419
             Project: Cassandra
          Issue Type: Bug
            Reporter: Abhishek Singh


*Description :**Description :* *Severity :* Sonatype CVSS 3: 7.5CVE CVSS 2.0: 0.0
 
 *Weakness :* Sonatype CWE: 22
 
 *Source :* Sonatype Data Research
 
 *Categories :* Data 
 *Explanation :* The setuptools package is vulnerable to Directory Traversal. The _install[]
function and _build_egg[] function in the ez_setup.py file creates setuptools as a .tar.gz
file for distribution and allows files to be extracted to arbitrary locations. An attacker
can exploit this vulnerability by uploading a tar archive that contains filenames starting
with directory traversal characters such as [../../../../../etc/passwd] or symbolic links
which, when untarred, will overwrite arbitrary files. 
 *Detection :* The application is vulnerable by using this component. 
 *Recommendation :* We recommend upgrading to a version of this component that is not vulnerable
to this specific issue. 
 *Root Cause :* apache-cassandra-3.11.4-bin.tar.gzsetuptools-0.9.6/ez_setup.py : [0.7.3,
3.0b1]
 
 *Advisories :* Project: https://github.com/pypa/setuptools/issues/7
 
 *CVSS Details :* Sonatype CVSS 3: 7.5CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
*Occurences (Paths) :* ["apache-cassandra.zip" ; "apache-cassandra.zip"]
*CVE :* sonatype-2013-0069
*URL :* No URL Present.
*Remediation :* This component does not have any non-vulnerable Version. Please contact the
vendor to get this vulnerability fixed.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@cassandra.apache.org
For additional commands, e-mail: commits-help@cassandra.apache.org


Mime
View raw message