Apache AsterixDB security advisories

Security information for Apache AsterixDB

Reporting

Do you want disclose a potential security issue for Apache AsterixDB? Send your report to the Apache Security Team.

Advisories

This section is experimental: it provides advisories since 2023 and may lag behind the official CVE publications. If you have any feedback on how you would like this data to be provided, you are welcome to reach out on our public mailinglist or privately on security@apache.org

unzip directory traversal

CVE-2020-9479 [CVE] [CVE json] [OSV json]

Last updated: 2021-03-01T15:49:19.297Z

Affected

  • Apache AsterixDB at git

Description

When loading a UDF, a specially crafted zip file could allow files to be placed outside of the UDF deployment directory. This issue affected Apache AsterixDB unreleased builds between commits 580b81aa5e8888b8e1b0620521a1c9680e54df73 and 28c0ee84f1387ab5d0659e9e822f4e3923ddc22d.

Note: this CVE may be REJECTed as the issue did not affect any released versions of Apache AsterixDB

References

Credits

  • This issue was discovered by Yiming Xiang of NSFOCUS