{"vulnerability": "CVE-2022-26612", "sightings": [{"uuid": "4d39e999-016b-4a5c-aab0-ffb13d6edb04", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-26612", "type": "published-proof-of-concept", "source": "https://t.me/CyberSecurityTechnologies/5862", "content": "#Threat_Research\n1. SSRF Attack Examples and Mitigations\nhttps://goteleport.com/blog/ssrf-attacks\n2. Arbitrary file write during TAR extraction in Apache Hadoop (CVE-2022-26612)\nhttps://securitylab.github.com/advisories/GHSL-2022-012_Apache_Hadoop", "creation_timestamp": "2022-04-22T11:01:07.000000Z"}, {"uuid": "128ca288-f025-49f8-9774-3d70e4ecc868", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-26612", "type": "seen", "source": "https://t.me/arpsyndicate/3143", "content": "#ExploitObserverAlert\n\nCVE-2022-26612\n\nDESCRIPTION: Exploit Observer has 4 entries in 3 file formats related to CVE-2022-26612. In Apache Hadoop, The unTar function uses unTarUsingJava function on Windows and the built-in tar utility on Unix and other OSes. As a result, a TAR entry may create a symlink under the expected extraction directory which points to an external directory. A subsequent TAR entry may extract an arbitrary file into the external directory using the symlink name. This however would be caught by the same targetDirPath check on Unix because of the getCanonicalPath call. However on Windows, getCanonicalPath doesn't resolve symbolic links, which bypasses the check. unpackEntries during TAR extraction follows symbolic links which allows writing outside expected base directory on Windows. This was addressed in Apache Hadoop 3.2.3\n\nFIRST-EPSS: 0.015140000\nNVD-IS: 5.9\nNVD-ES: 3.9", "creation_timestamp": "2024-01-28T01:02:45.000000Z"}, {"uuid": "2898b5b8-abcf-424c-bf16-aae78a7b36af", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-26612", "type": "seen", "source": "https://gist.github.com/gfussNET/873e9e64a9664e3b146176c7102074b0", "content": "### Create Service Account in Wiz\n- Save Client ID and Client Secret\n### Obtain Bearer Token with Service Account\n```bash\ncurl --request POST \\ \n--url 'https://auth.app.wiz.io/oauth/token' \\\n--header 'content-type: application/x-www-form-urlencoded' \\\n--data grant_type=client_credentials \\\n--data client_id=asdfasdfasdf \\\n--data client_secret=asdfasdfasdf \\\n--data audience=wiz-api\n```\n- In returned JSON, the bearer token is \"access_token\"\n### Create a JSON file of the GraphQL query\nAs the query will be a larger JSON string, it's best to place it in a file that we can reference with the -d or --data flag of curl\nquery.json\n```json\n {\n \"query\": \"query VulnerabilityFindingsPage($filterBy: VulnerabilityFindingFilters, $first: Int, $after: String, $orderBy: VulnerabilityFindingOrder) { vulnerabilityFindings( filterBy: $filterBy first: $first after: $after orderBy: $orderBy ) { nodes { id portalUrl name CVEDescription CVSSSeverity score exploitabilityScore severity nvdSeverity weightedSeverity impactScore origin dataSourceName hasExploit hasFix hasCisaKevExploit status isHighProfileThreat vendorSeverity firstDetectedAt lastDetectedAt resolvedAt description remediation detailedName version fixedVersion detectionMethod link locationPath artifactType { ...SBOMArtifactTypeFragment } resolutionReason epssSeverity epssPercentile epssProbability validatedInRuntime layerMetadata { id details isBaseLayer } vcsCodeAuthors { name properties } vcsCodeOwners { name properties } projects { id name slug businessUnit riskProfile { businessImpact } } ignoreRules { id name enabled expiredAt } cvssv2 { attackVector attackComplexity confidentialityImpact integrityImpact privilegesRequired userInteractionRequired } cvssv3 { attackVector attackComplexity confidentialityImpact integrityImpact privilegesRequired userInteractionRequired availabilityImpact } relatedIssueAnalytics { issueCount criticalSeverityCount highSeverityCount mediumSeverityCount lowSeverityCount informationalSeverityCount } cnaScore vulnerableAsset { ... on VulnerableAssetBase { id type name region providerUniqueId cloudProviderURL cloudPlatform nativeType status subscriptionName subscriptionExternalId subscriptionId tags hasLimitedInternetExposure hasWideInternetExposure isAccessibleFromVPN isAccessibleFromOtherVnets isAccessibleFromOtherSubscriptions } ... on VulnerableAssetVirtualMachine { operatingSystem ipAddresses imageName computeInstanceGroup { id externalId name replicaCount tags } } ... on VulnerableAssetServerless { runtime } ... on VulnerableAssetRepositoryBranch { id type name cloudPlatform repositoryId repositoryName nativeType isUsedOnPrem } ... on VulnerableAssetContainerImage { imageId scanSource registry { name externalId } repository { name externalId } executionControllers { id name entityType externalId providerUniqueId name subscriptionExternalId subscriptionId subscriptionName ancestors { id name entityType externalId providerUniqueId } } } ... on VulnerableAssetContainer { ImageExternalId VmExternalId ServerlessContainer PodNamespace PodName NodeName } } } pageInfo { hasNextPage endCursor } } } fragment SBOMArtifactTypeFragment on SBOMArtifactType { group codeLibraryLanguage osPackageManager hostedTechnology { name } plugin custom } \",\n \"variables\": {\n \"first\": 100,\n \"filterBy\": {\n \"vulnerabilityExternalIdV2\": {\n \"equals\": [\n \"CVE-2022-26612\"\n ]\n },\n \"ignoredBy\": {\n \"isIgnoredByRule\": true\n }\n }\n }\n }\n ```\n \n### Example GraphQL query to show all Vulenrability Findings that have Ignore Rules\n```bash\ncurl -X POST \"https://api.us20.app.wiz.io/graphql\" -H \"Content-Type: application/json\" -H \"Authorization: Bearer \" -d @query.json \n```\n", "creation_timestamp": "2026-06-12T19:54:24.000000Z"}]}