VulnerableCode Vulnerability Details

Search for vulnerabilities

Vulnerability details: VCID-dcdx-yb8v-aaah

Essentials
Severities (97)
References (11)
Severity details (12)
Exploits (0)
EPSS
History (0)

Vulnerability ID	VCID-dcdx-yb8v-aaah
Aliases	CVE-2022-25168 GHSA-8wm5-8h9c-47pc
Summary	Apache Hadoop's FileUtil.unTar(File, File) API does not escape the input file name before being passed to the shell. An attacker can inject arbitrary commands. This is only used in Hadoop 3.3 InMemoryAliasMap.completeBootstrapTransfer, which is only ever run by a local user. It has been used in Hadoop 2.x for yarn localization, which does enable remote code execution. It is used in Apache Spark, from the SQL command ADD ARCHIVE. As the ADD ARCHIVE command adds new binaries to the classpath, being able to execute shell scripts does not confer new permissions to the caller. SPARK-38305. "Check existence of file before untarring/zipping", which is included in 3.3.0, 3.1.4, 3.2.2, prevents shell commands being executed, regardless of which version of the hadoop libraries are in use. Users should upgrade to Apache Hadoop 2.10.2, 3.2.4, 3.3.3 or upper (including HADOOP-18136).
Status	Published
Exploitability	0.5
Weighted Severity	9.0
Risk	4.5
Affected and Fixed Packages	Package Details

Weaknesses (4)

CWE-78	Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CWE-88	Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
cvssv3	9.8	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-25168.json
epss	0.00564	https://api.first.org/data/v1/epss?cve=CVE-2022-25168
epss	0.00564	https://api.first.org/data/v1/epss?cve=CVE-2022-25168
epss	0.00564	https://api.first.org/data/v1/epss?cve=CVE-2022-25168
epss	0.00564	https://api.first.org/data/v1/epss?cve=CVE-2022-25168
epss	0.00564	https://api.first.org/data/v1/epss?cve=CVE-2022-25168
epss	0.00564	https://api.first.org/data/v1/epss?cve=CVE-2022-25168
epss	0.00564	https://api.first.org/data/v1/epss?cve=CVE-2022-25168
epss	0.00564	https://api.first.org/data/v1/epss?cve=CVE-2022-25168
epss	0.00564	https://api.first.org/data/v1/epss?cve=CVE-2022-25168
epss	0.00564	https://api.first.org/data/v1/epss?cve=CVE-2022-25168
epss	0.00564	https://api.first.org/data/v1/epss?cve=CVE-2022-25168
epss	0.00564	https://api.first.org/data/v1/epss?cve=CVE-2022-25168
epss	0.00692	https://api.first.org/data/v1/epss?cve=CVE-2022-25168
epss	0.00692	https://api.first.org/data/v1/epss?cve=CVE-2022-25168
epss	0.00692	https://api.first.org/data/v1/epss?cve=CVE-2022-25168
epss	0.00692	https://api.first.org/data/v1/epss?cve=CVE-2022-25168
epss	0.02255	https://api.first.org/data/v1/epss?cve=CVE-2022-25168
epss	0.02255	https://api.first.org/data/v1/epss?cve=CVE-2022-25168
epss	0.02255	https://api.first.org/data/v1/epss?cve=CVE-2022-25168
epss	0.02255	https://api.first.org/data/v1/epss?cve=CVE-2022-25168
epss	0.02255	https://api.first.org/data/v1/epss?cve=CVE-2022-25168
epss	0.02255	https://api.first.org/data/v1/epss?cve=CVE-2022-25168
epss	0.02255	https://api.first.org/data/v1/epss?cve=CVE-2022-25168
epss	0.02255	https://api.first.org/data/v1/epss?cve=CVE-2022-25168
epss	0.02255	https://api.first.org/data/v1/epss?cve=CVE-2022-25168
epss	0.02255	https://api.first.org/data/v1/epss?cve=CVE-2022-25168
epss	0.02255	https://api.first.org/data/v1/epss?cve=CVE-2022-25168
epss	0.02255	https://api.first.org/data/v1/epss?cve=CVE-2022-25168
epss	0.02255	https://api.first.org/data/v1/epss?cve=CVE-2022-25168
epss	0.02255	https://api.first.org/data/v1/epss?cve=CVE-2022-25168
epss	0.02255	https://api.first.org/data/v1/epss?cve=CVE-2022-25168
epss	0.02255	https://api.first.org/data/v1/epss?cve=CVE-2022-25168
epss	0.02255	https://api.first.org/data/v1/epss?cve=CVE-2022-25168
epss	0.02255	https://api.first.org/data/v1/epss?cve=CVE-2022-25168
epss	0.02255	https://api.first.org/data/v1/epss?cve=CVE-2022-25168
epss	0.02255	https://api.first.org/data/v1/epss?cve=CVE-2022-25168
epss	0.02255	https://api.first.org/data/v1/epss?cve=CVE-2022-25168
epss	0.02255	https://api.first.org/data/v1/epss?cve=CVE-2022-25168
epss	0.02255	https://api.first.org/data/v1/epss?cve=CVE-2022-25168
epss	0.02726	https://api.first.org/data/v1/epss?cve=CVE-2022-25168
epss	0.02726	https://api.first.org/data/v1/epss?cve=CVE-2022-25168
epss	0.02726	https://api.first.org/data/v1/epss?cve=CVE-2022-25168
epss	0.02726	https://api.first.org/data/v1/epss?cve=CVE-2022-25168
epss	0.02726	https://api.first.org/data/v1/epss?cve=CVE-2022-25168
epss	0.02726	https://api.first.org/data/v1/epss?cve=CVE-2022-25168
epss	0.02726	https://api.first.org/data/v1/epss?cve=CVE-2022-25168
epss	0.02726	https://api.first.org/data/v1/epss?cve=CVE-2022-25168
epss	0.02726	https://api.first.org/data/v1/epss?cve=CVE-2022-25168
epss	0.02726	https://api.first.org/data/v1/epss?cve=CVE-2022-25168
epss	0.02726	https://api.first.org/data/v1/epss?cve=CVE-2022-25168
epss	0.02726	https://api.first.org/data/v1/epss?cve=CVE-2022-25168
epss	0.02726	https://api.first.org/data/v1/epss?cve=CVE-2022-25168
epss	0.02726	https://api.first.org/data/v1/epss?cve=CVE-2022-25168
epss	0.02726	https://api.first.org/data/v1/epss?cve=CVE-2022-25168
epss	0.02726	https://api.first.org/data/v1/epss?cve=CVE-2022-25168
epss	0.02726	https://api.first.org/data/v1/epss?cve=CVE-2022-25168
epss	0.02726	https://api.first.org/data/v1/epss?cve=CVE-2022-25168
epss	0.02726	https://api.first.org/data/v1/epss?cve=CVE-2022-25168
epss	0.02726	https://api.first.org/data/v1/epss?cve=CVE-2022-25168
epss	0.02726	https://api.first.org/data/v1/epss?cve=CVE-2022-25168
epss	0.02726	https://api.first.org/data/v1/epss?cve=CVE-2022-25168
epss	0.02726	https://api.first.org/data/v1/epss?cve=CVE-2022-25168
epss	0.02726	https://api.first.org/data/v1/epss?cve=CVE-2022-25168
epss	0.02726	https://api.first.org/data/v1/epss?cve=CVE-2022-25168
epss	0.02753	https://api.first.org/data/v1/epss?cve=CVE-2022-25168
epss	0.02753	https://api.first.org/data/v1/epss?cve=CVE-2022-25168
epss	0.02753	https://api.first.org/data/v1/epss?cve=CVE-2022-25168
epss	0.02753	https://api.first.org/data/v1/epss?cve=CVE-2022-25168
epss	0.02753	https://api.first.org/data/v1/epss?cve=CVE-2022-25168
epss	0.02753	https://api.first.org/data/v1/epss?cve=CVE-2022-25168
epss	0.02753	https://api.first.org/data/v1/epss?cve=CVE-2022-25168
epss	0.02753	https://api.first.org/data/v1/epss?cve=CVE-2022-25168
epss	0.02753	https://api.first.org/data/v1/epss?cve=CVE-2022-25168
epss	0.02753	https://api.first.org/data/v1/epss?cve=CVE-2022-25168
epss	0.02753	https://api.first.org/data/v1/epss?cve=CVE-2022-25168
epss	0.02753	https://api.first.org/data/v1/epss?cve=CVE-2022-25168
epss	0.02753	https://api.first.org/data/v1/epss?cve=CVE-2022-25168
epss	0.02753	https://api.first.org/data/v1/epss?cve=CVE-2022-25168
epss	0.02753	https://api.first.org/data/v1/epss?cve=CVE-2022-25168
epss	0.02753	https://api.first.org/data/v1/epss?cve=CVE-2022-25168
epss	0.02753	https://api.first.org/data/v1/epss?cve=CVE-2022-25168
epss	0.02753	https://api.first.org/data/v1/epss?cve=CVE-2022-25168
epss	0.02827	https://api.first.org/data/v1/epss?cve=CVE-2022-25168
epss	0.05938	https://api.first.org/data/v1/epss?cve=CVE-2022-25168
rhbs	high	https://bugzilla.redhat.com/show_bug.cgi?id=2119084
cvssv3.1_qr	CRITICAL	https://github.com/advisories/GHSA-8wm5-8h9c-47pc
cvssv3.1	3.3	https://github.com/apache/hadoop
generic_textual	LOW	https://github.com/apache/hadoop
cvssv3.1	9.8	https://github.com/apache/hadoop/commit/cae749b076f35f0be13a926ee8cfbb7ce4402746
generic_textual	CRITICAL	https://github.com/apache/hadoop/commit/cae749b076f35f0be13a926ee8cfbb7ce4402746
cvssv3.1	9.8	https://lists.apache.org/thread/mxqnb39jfrwgs3j6phwvlrfq4mlox130
generic_textual	CRITICAL	https://lists.apache.org/thread/mxqnb39jfrwgs3j6phwvlrfq4mlox130
cvssv3	9.8	https://nvd.nist.gov/vuln/detail/CVE-2022-25168
cvssv3.1	9.8	https://nvd.nist.gov/vuln/detail/CVE-2022-25168
cvssv3.1	9.8	https://security.netapp.com/advisory/ntap-20220915-0007
generic_textual	CRITICAL	https://security.netapp.com/advisory/ntap-20220915-0007

Reference id	Reference type	URL
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-25168.json
		https://api.first.org/data/v1/epss?cve=CVE-2022-25168
		https://github.com/apache/hadoop
		https://github.com/apache/hadoop/commit/cae749b076f35f0be13a926ee8cfbb7ce4402746
		https://lists.apache.org/thread/mxqnb39jfrwgs3j6phwvlrfq4mlox130
		https://security.netapp.com/advisory/ntap-20220915-0007
		https://security.netapp.com/advisory/ntap-20220915-0007/
2119084		https://bugzilla.redhat.com/show_bug.cgi?id=2119084
cpe:2.3:a:apache:hadoop::::::::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:hadoop::::::::
CVE-2022-25168		https://nvd.nist.gov/vuln/detail/CVE-2022-25168
GHSA-8wm5-8h9c-47pc		https://github.com/advisories/GHSA-8wm5-8h9c-47pc

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-25168.json

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N Found at https://github.com/apache/hadoop

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/apache/hadoop/commit/cae749b076f35f0be13a926ee8cfbb7ce4402746

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://lists.apache.org/thread/mxqnb39jfrwgs3j6phwvlrfq4mlox130

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2022-25168

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2022-25168

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://security.netapp.com/advisory/ntap-20220915-0007

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.78197
EPSS Score	0.00564
Published At	Nov. 1, 2024, midnight

Date	Actor	Action	Source	VulnerableCode Version
There are no relevant records.