Description
Apache Storm version 1.0.6 and earlier, 1.2.1 and earlier, and version 1.1.2 and earlier expose an arbitrary file write vulnerability, that can be achieved using a specially crafted zip archive (affects other archives as well, bzip2, tar, xz, war, cpio, 7z), that holds path traversal filenames. So when the filename gets concatenated to the target extraction directory, the final path ends up outside of the target folder.
Remediation
References
http://www.securityfocus.com/bid/104418
https://lists.apache.org/thread.html/613b2fca8bcd0a3b12c0b763ea8f7cf62e422e9f79fce6cfa5b08a58%40%3Cdev.storm.apache.org%3E
Related Vulnerabilities
CVE-2021-4329 Vulnerability in npm package json-logic-js
CVE-2022-25906 Vulnerability in npm package is-http2
CVE-2019-5448 Vulnerability in maven package org.webjars.npm:yarn
CVE-2016-10591 Vulnerability in npm package prince
CVE-2022-45390 Vulnerability in maven package io.loader:loaderio-jenkins-plugin