github
[GHSA-898j-5cc8-cmf5] Moderate severity vulnerability that affects org.apache.storm:storm-core
Updates
- References
Comments Add four patfches: https://github.com/apache/storm/commit/0fc6b522487c061f89e8cdacf09f722d3f20589 https://github.com/apache/storm/commit/efad4cca2d7d461f5f8c08a0d7b51fabeb82d0a https://github.com/apache/storm/commit/1117a37b01a1058897a34e11ff5156e465efb69 https://github.com/apache/storm/commit/f61e5daf299d6c37c7ad65744d02556c94a16a4
, of which the commit message claims STORM-3052: Allow for blobs to be unzipped/untarred
Hey @MarkLee131, not sure I follow on this one. Can you elaborate on how the commits resolve a zip slip and/or do you know of some linkage to the advisory?
Hi, you can see the root cause of this CVE on the NVD or CVE website. and the commit msgs and code diff of these commits show their intention for fixing the zip-slip vuln for archive files in STORM-3052: https://issues.apache.org/jira/browse/STORM-3052.
Meanwhile, Synk also detailed this vuln in its report (https://security.snyk.io/vuln/SNYK-JAVA-ORGAPACHESTORM-73624), and referred to one of our updated patch commit: https://github.com/apache/storm/commit/1117a37b01a1058897a34e11ff5156e465efb692.
Hi @MarkLee131! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future!
![advisory-database[bot] avatar](https://avatars.githubusercontent.com/in/21409?v=4 "Published by a pub.dev verified publisher"){kind=small}