Hello, Thank you for reporting it.
By the way, we won't release spark-2.10 from the next release and you don't have to worry about it. Best regards, Jongyoul 2023년 9월 21일 (목) 오후 9:57, James Watt <crispy.james.w...@gmail.com>님이 작성: > Hi there, > I think the method > `org.apache.hadoop.mapreduce.filecache.ClientDistributedCacheManager.checkPermissionOfOther(FileSystem > fs, Path path, FsAction action, Map<URI, FileStatus> statCache)` may have > an “Incorrect Permission Assignment for Critical Resource”vulnerability > which is vulnerable in > org.apache.zeppelin:zeppelin-spark-dependencies-2.10 before 2.7.3. It > shares similarities to a recent CVE disclosure *CVE-2017-3166* in the > same project *"apache/hadoop"* project. > The source vulnerability information is as follows:[image: > image.gif][image: > image.gif] >> >> *Vulnerability Detail:* >> >> *CVE Identifier:* CVE-2017-3166 >> >> *Description*: In Apache Hadoop versions 2.6.1 to 2.6.5, 2.7.0 to 2.7.3, >> and 3.0.0-alpha1, if a file in an encryption zone with access permissions >> that make it world readable is localized via YARN's localization mechanism, >> that file will be stored in a world-readable location and can be shared >> freely with any application that requests to localize that file. >> >> *Reference:* <http://goog_608275719/> >> https://nvd.nist.gov/vuln/detail/CVE-2017-3166 >> >> *Patch*: >> https://github.com/apache/hadoop/commit/a47d8283b136aab5b9fa4c18e6f51fa799d91a29 >> > > *Vulnerability Description:* The vulnerability is present in the class > org.apache.hadoop.mapreduce.filecache.ClientDistributedCacheManager of > method checkPermissionOfOther(FileSystem fs, Path path, FsAction action, > Map<URI, FileStatus> statCache) , which is responsible for checking the > permissions of other files in the distributed cache.. *But t**he check > snippet is similar to the vulnerable snippet for CVE-2017-3166* and may > have the same consequence as CVE-2017-3166: *a file in an encryption zone > with access permissions will be stored in a world-readable location and > can be freely shared with any application that requests the file to be > localized*. Therefore, maybe you need to fix the vulnerability with much > the same fix code as the CVE-2017-3166 patch. > Considering the potential risks it may have, I am willing to cooperate > with you to verify, address, and report the identified vulnerability > promptly through responsible means. If you require any further information > or assistance, please do not hesitate to reach out to me. Thank you and > look forward to hearing from you soon. > > Best regards, > Yiheng Cao > > > > > -- 이종열, Jongyoul Lee, 李宗烈 http://madeng.net
