Abhishek Singh created CASSANDRA-15419: ------------------------------------------ Summary: sonatype-2013-0069(The setuptools package is vulnerable to Directory Traversal) on Cassendra 3.11.4 Key: CASSANDRA-15419 URL: https://issues.apache.org/jira/browse/CASSANDRA-15419 Project: Cassandra Issue Type: Bug Reporter: Abhishek Singh *Description :**Description :* *Severity :* Sonatype CVSS 3: 7.5CVE CVSS 2.0: 0.0    *Weakness :* Sonatype CWE: 22    *Source :* Sonatype Data Research    *Categories :* Data   *Explanation :* The setuptools package is vulnerable to Directory Traversal. The _install[] function and _build_egg[] function in the ez_setup.py file creates setuptools as a .tar.gz file for distribution and allows files to be extracted to arbitrary locations. An attacker can exploit this vulnerability by uploading a tar archive that contains filenames starting with directory traversal characters such as [../../../../../etc/passwd] or symbolic links which, when untarred, will overwrite arbitrary files.   *Detection :* The application is vulnerable by using this component.   *Recommendation :* We recommend upgrading to a version of this component that is not vulnerable to this specific issue.   *Root Cause :* apache-cassandra-3.11.4-bin.tar.gzsetuptools-0.9.6/ez_setup.py : [0.7.3, 3.0b1]    *Advisories :* Project: https://github.com/pypa/setuptools/issues/7    *CVSS Details :* Sonatype CVSS 3: 7.5CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N *Occurences (Paths) :* ["apache-cassandra.zip" ; "apache-cassandra.zip"] *CVE :* sonatype-2013-0069 *URL :* No URL Present. *Remediation :* This component does not have any non-vulnerable Version. Please contact the vendor to get this vulnerability fixed. -- This message was sent by Atlassian Jira (v8.3.4#803005) --------------------------------------------------------------------- To unsubscribe, e-mail: commits-unsubscribe@cassandra.apache.org For additional commands, e-mail: commits-help@cassandra.apache.org