Abhishek Singh created CASSANDRA-15419:
------------------------------------------
Summary: sonatype-2013-0069(The setuptools package is vulnerable to Directory
Traversal) on Cassendra 3.11.4
Key: CASSANDRA-15419
URL: https://issues.apache.org/jira/browse/CASSANDRA-15419
Project: Cassandra
Issue Type: Bug
Reporter: Abhishek Singh
*Description :**Description :* *Severity :* Sonatype CVSS 3: 7.5CVE CVSS 2.0: 0.0
*Weakness :* Sonatype CWE: 22
*Source :* Sonatype Data Research
*Categories :* Data
*Explanation :* The setuptools package is vulnerable to Directory Traversal. The _install[]
function and _build_egg[] function in the ez_setup.py file creates setuptools as a .tar.gz
file for distribution and allows files to be extracted to arbitrary locations. An attacker
can exploit this vulnerability by uploading a tar archive that contains filenames starting
with directory traversal characters such as [../../../../../etc/passwd] or symbolic links
which, when untarred, will overwrite arbitrary files.
*Detection :* The application is vulnerable by using this component.
*Recommendation :* We recommend upgrading to a version of this component that is not vulnerable
to this specific issue.
*Root Cause :* apache-cassandra-3.11.4-bin.tar.gzsetuptools-0.9.6/ez_setup.py : [0.7.3,
3.0b1]
*Advisories :* Project: https://github.com/pypa/setuptools/issues/7
*CVSS Details :* Sonatype CVSS 3: 7.5CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
*Occurences (Paths) :* ["apache-cassandra.zip" ; "apache-cassandra.zip"]
*CVE :* sonatype-2013-0069
*URL :* No URL Present.
*Remediation :* This component does not have any non-vulnerable Version. Please contact the
vendor to get this vulnerability fixed.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@cassandra.apache.org
For additional commands, e-mail: commits-help@cassandra.apache.org
|