CVE-2018-8009

Exp

Apache Hadoop 3.1.0, 3.0.0-alpha to 3.0.2, 2.9.0 to 2.9.1, 2.8.0 to 2.8.4, 2.0.0-alpha to 2.7.6, 0.23.0 to 0.23.11 is exploitable via the zip slip vulnerability in places that accept a zip file.

Published: 2018-11-13 Last update: 2024-11-21 Assigner: [email protected] Source: [email protected]
NVD Status:ModifiedCVE State: published
View at NVD, CVE.org, EUVD

CVE-2018-8009 is rated High Exploit Risk (81.3/100): CVSS High severity, with medium exploitation likelihood (EPSS 4.62%). 1 public exploit reference(s) are indexed (Exploit-DB). Public exploits are available—assess exposure, apply mitigations, and prioritize patching.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

Public exploit references (Exploit-DB) for CVE-2018-8009

EDB-ID Source Kind Published Link
nvd_ref exploit_tag Exploit-DB ↗

Exploit prediction scoring system (EPSS) score for CVE-2018-8009

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

# Date Old EPSS score New EPSS score Delta (New - Old)
1 2026-05-30 4.85% 4.62% -0.23%
2 2026-05-19 5.89% 4.85% -1.04%
3 2026-03-13 5.89%

Full EPSS history (29 records total)

Common vulnerability scoring system (CVSS) metrics for CVE-2018-8009

CVSS metrics for this CVE.

Base score Version Severity Vector Exploitability Impact Score source
8.8 3.0 HIGH
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:L)
Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:L)
A normal user session is enough; they don’t have to be admin.
User interaction (UI:N)
Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U)
Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:H)
Serious risk that confidential data gets exposed in a big way.
Integrity (I:H)
They could widely tamper with or forge data—trust in the data is badly hurt.
Availability (A:H)
Could take the service down hard or make it unusable for people who depend on it.
 2.8 5.9 [email protected]
6.5 2.0 MEDIUM
AV:N/AC:L/Au:S/C:P/I:P/A:P Click to expand
Access vector (AV:N)
Can be exploited remotely over network reachability.
Access complexity (AC:L)
Exploitation conditions are straightforward and predictable.
Authentication (AU:S)
A single authentication is required.
Confidentiality impact (C:P)
Partial confidentiality impact.
Integrity impact (I:P)
Partial integrity impact.
Availability impact (A:P)
Partial availability impact.
 8.0 6.4 [email protected]

Weakness enumeration for CVE-2018-8009

GitHub Security Advisory for CVE-2018-8009

OS Trackers for CVE-2018-8009

vendor priority summary link
redhat high https://access.redhat.com/security/cve/CVE-2018-8009
suse medium CVE-2018-8009 severity moderate: SUSE including 1 source package names (hadoop), 2 product×package rows across 2 product lines (SUSE Manager Server 3.1, SUSE Manager Server 3.2): Known Not Affected 2. https://www.suse.com/security/cve/CVE-2018-8009/

Affected software / configurations for CVE-2018-8009

Vendor Product Version Raw CPE
apache hadoop >= 0.23.0, <= 0.23.11 cpe:2.3:a:apache:hadoop:*:*:*:*:*:*:*:*
apache hadoop >= 2.0.0, <= 2.7.6 cpe:2.3:a:apache:hadoop:*:*:*:*:*:*:*:*
apache hadoop >= 2.8.0, <= 2.8.4 cpe:2.3:a:apache:hadoop:*:*:*:*:*:*:*:*
apache hadoop >= 2.9.0, <= 2.9.1 cpe:2.3:a:apache:hadoop:*:*:*:*:*:*:*:*
apache hadoop >= 3.0.0, <= 3.0.2 cpe:2.3:a:apache:hadoop:*:*:*:*:*:*:*:*
apache hadoop 2.0.0 cpe:2.3:a:apache:hadoop:2.0.0:alpha:*:*:*:*:*:*
apache hadoop 3.0.0 cpe:2.3:a:apache:hadoop:3.0.0:alpha1:*:*:*:*:*:*
apache hadoop 3.0.0 cpe:2.3:a:apache:hadoop:3.0.0:alpha2:*:*:*:*:*:*
apache hadoop 3.0.0 cpe:2.3:a:apache:hadoop:3.0.0:alpha3:*:*:*:*:*:*
apache hadoop 3.0.0 cpe:2.3:a:apache:hadoop:3.0.0:alpha4:*:*:*:*:*:*
apache hadoop 3.0.0 cpe:2.3:a:apache:hadoop:3.0.0:beta1:*:*:*:*:*:*
apache hadoop 3.1.0 cpe:2.3:a:apache:hadoop:3.1.0:*:*:*:*:*:*:*

References for CVE-2018-8009

URL Tags
http://www.securityfocus.com/bid/105927 Third Party Advisory VDB Entry
https://access.redhat.com/errata/RHSA-2019:3892
https://hadoop.apache.org/cve_list.html#cve-2018-8009-http-cve-mitre-org-cgi-bin-cvename-cgi-name-cve-2018-8009-zip-slip-impact-on-apache-hadoop Vendor Advisory
https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451%40%3Csolr-user.lucene.apache.org%3E
https://lists.apache.org/thread.html/a1c227745ce30acbcf388c5b0cc8423e8bf495d619cd0fa973f7f38d%40%3Cuser.hadoop.apache.org%3E
https://lists.apache.org/thread.html/r4dddf1705dbedfa94392913b2dad1cd2d1d89040facd389eea0b3510%40%3Ccommits.druid.apache.org%3E
https://lists.apache.org/thread.html/rb21df54a4e39732ce653d2aa5672e36a792b59eb6717f2a06bb8d02a%40%3Ccommits.druid.apache.org%3E
https://snyk.io/research/zip-slip-vulnerability Exploit Third Party Advisory
cvelogic Threat Intelligence