Severity
High
Analysis Summary
CVE-2022-25168
Apache Hadoop could allow a local authenticated attacker to execute arbitrary commands on the system, caused by improper input file name validation by the FileUtil.unTar(File, File) API. By sending specially-crafted arguments, an attacker could exploit this vulnerability to execute arbitrary commands on the system.
Impact
- Command Execution
Indicators Of Compromise
CVE
- CVE-2022-25168
Affected Vendors
Apache
Affected Products
- Apache Hadoop 2.0.0
- Apache Hadoop 3.0.0-alpha
- Apache Hadoop 2.10.1
- Apache Hadoop 3.2.3
- Apache Hadoop 3.3.2
Remediation
Upgrade to the latest version of Apache Hadoop, available from the Apache Website.