Details
Description
There is a risk for arbitrary shell command injection via Utils.unpack when the filename is controlled by a malicious user. This is due to an issue in Hadoop's unTar, that is not properly escaping the filename before passing to a shell command:https://github.com/apache/hadoop/blob/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/FileUtil.java#L904