The Kerberos/MapReduce security functionality in Apache Hadoop 0.20.203.0 through 0.20.205.0, 0.23.x before 0.23.2, and 1.0.x before 1.0.2, as used in Cloudera CDH CDH3u0 through CDH3u2, Cloudera hadoop-0.20-sbin before 0.20.2+923.197, and other products, allows remote authenticated users to impersonate arbitrary cluster user accounts via unspecified vectors.
Max CVSS
6.5
EPSS Score
0.21%
Published
2012-04-12
Updated
2017-03-24
Hadoop 1.0.3 contains a symlink vulnerability.
Max CVSS
7.5
EPSS Score
0.17%
Published
2019-10-29
Updated
2019-10-31
DataNodes in Apache Hadoop 2.0.0 alpha does not check the BlockTokens of clients when Kerberos is enabled and the DataNode has checked out the same BlockPool twice from a NodeName, which might allow remote clients to read arbitrary blocks, write to blocks to which they only have read access, and have other unspecified impacts.
Max CVSS
7.5
EPSS Score
0.22%
Published
2012-07-12
Updated
2017-03-24
Apache Hadoop before 0.23.4, 1.x before 1.0.4, and 2.x before 2.0.2 generate token passwords using a 20-bit secret when Kerberos security features are enabled, which makes it easier for context-dependent attackers to crack secret keys via a brute-force attack.
Max CVSS
9.8
EPSS Score
0.16%
Published
2017-10-30
Updated
2017-11-21
The RPC protocol implementation in Apache Hadoop 2.x before 2.0.6-alpha, 0.23.x before 0.23.9, and 1.x before 1.2.1, when the Kerberos security features are enabled, allows man-in-the-middle attackers to disable bidirectional authentication and obtain sensitive information by forcing a downgrade to simple authentication.
Max CVSS
3.2
EPSS Score
0.09%
Published
2014-01-24
Updated
2017-03-24
Apache Hadoop 0.23.x before 0.23.11 and 2.x before 2.4.1, as used in Cloudera CDH 5.0.x before 5.0.2, do not check authorization for the (1) refreshNamenodes, (2) deleteBlockPool, and (3) shutdownDatanode HDFS admin commands, which allows remote authenticated users to cause a denial of service (DataNodes shutdown) or perform unnecessary operations by issuing a command.
Max CVSS
6.5
EPSS Score
0.07%
Published
2017-03-23
Updated
2017-03-28
The YARN NodeManager daemon in Apache Hadoop 0.23.0 through 0.23.11 and 2.x before 2.5.2, when using Kerberos authentication, allows remote cluster users to change the permissions of certain files to world-readable via a symlink attack in a public tar archive, which is not properly handled during localization, related to distributed cache.
Max CVSS
5.0
EPSS Score
0.11%
Published
2014-12-05
Updated
2014-12-06
Apache Hadoop 2.6.x encrypts intermediate data generated by a MapReduce job and stores it along with the encryption key in a credentials file on disk when the Intermediate data encryption feature is enabled, which allows local users to obtain sensitive information by reading the file.
Max CVSS
6.2
EPSS Score
0.05%
Published
2016-04-19
Updated
2016-11-28
The Hadoop connector 1.1.1, 2.4, 2.5, and 2.7.0-0 before 2.7.0-3 for IBM Spectrum Scale and General Parallel File System (GPFS) allows local users to read or write to arbitrary GPFS data via unspecified vectors.
Max CVSS
8.4
EPSS Score
0.08%
Published
2016-01-02
Updated
2016-01-07
The YARN NodeManager in Apache Hadoop 2.6.x before 2.6.5 and 2.7.x before 2.7.3 can leak the password for credential store provider used by the NodeManager to YARN Applications.
Max CVSS
9.8
EPSS Score
0.07%
Published
2017-09-05
Updated
2017-09-11
This is an information disclosure vulnerability in Apache Hadoop before 2.6.4 and 2.7.x before 2.7.2 in the short-circuit reads feature of HDFS. A local user on an HDFS DataNode may be able to craft a block token that grants unauthorized read access to random files by guessing certain fields in the token.
Max CVSS
5.5
EPSS Score
0.04%
Published
2017-08-30
Updated
2021-07-03
In Apache Hadoop 2.6.x before 2.6.5 and 2.7.x before 2.7.3, a remote user who can authenticate with the HDFS NameNode can possibly run arbitrary commands with the same privileges as the HDFS service.
Max CVSS
8.8
EPSS Score
0.09%
Published
2016-11-29
Updated
2016-12-01
In Apache Hadoop 2.x before 2.7.4, a user who can escalate to yarn user can possibly run arbitrary commands as root user.
Max CVSS
9.0
EPSS Score
0.11%
Published
2017-04-11
Updated
2018-05-10
The HDFS web UI in Apache Hadoop before 2.7.0 is vulnerable to a cross-site scripting (XSS) attack through an unescaped query parameter.
Max CVSS
6.1
EPSS Score
0.20%
Published
2017-04-26
Updated
2021-07-03
HDFS clients interact with a servlet on the DataNode to browse the HDFS namespace. The NameNode is provided as a query parameter that is not validated in Apache Hadoop before 2.7.0.
Max CVSS
7.5
EPSS Score
0.32%
Published
2017-04-26
Updated
2021-07-03
In Apache Hadoop versions 2.6.1 to 2.6.5, 2.7.0 to 2.7.3, and 3.0.0-alpha1, if a file in an encryption zone with access permissions that make it world readable is localized via YARN's localization mechanism, that file will be stored in a world-readable location and can be shared freely with any application that requests to localize that file.
Max CVSS
7.8
EPSS Score
0.04%
Published
2017-11-13
Updated
2020-08-24
In Apache Hadoop 2.8.0, 3.0.0-alpha1, and 3.0.0-alpha2, the LinuxContainerExecutor runs docker commands as root with insufficient input validation. When the docker feature is enabled, authenticated users can run commands as root.
Max CVSS
8.5
EPSS Score
0.08%
Published
2017-06-05
Updated
2017-06-09
Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and 3.0.0-alpha through 3.0.0-beta1 allows a cluster user to expose private files owned by the user running the MapReduce job history server process. The malicious user can construct a configuration file containing XML directives that reference sensitive files on the MapReduce job history server host.
Max CVSS
6.5
EPSS Score
0.05%
Published
2018-01-19
Updated
2018-02-06
The YARN NodeManager in Apache Hadoop 2.7.3 and 2.7.4 can leak the password for credential store provider used by the NodeManager to YARN Applications.
Max CVSS
9.8
EPSS Score
0.21%
Published
2018-01-24
Updated
2019-10-03
In Apache Hadoop 3.0.0-alpha1 to 3.0.0, 2.9.0, 2.8.0 to 2.8.3, and 2.5.0 to 2.7.5, HDFS exposes extended attribute key/value pairs during listXAttrs, verifying only path-level search access to the directory rather than path-level read permission to the referent.
Max CVSS
7.5
EPSS Score
0.07%
Published
2019-02-07
Updated
2019-02-21
Apache Hadoop 3.1.0, 3.0.0-alpha to 3.0.2, 2.9.0 to 2.9.1, 2.8.0 to 2.8.4, 2.0.0-alpha to 2.7.6, 0.23.0 to 0.23.11 is exploitable via the zip slip vulnerability in places that accept a zip file.
Max CVSS
8.8
EPSS Score
8.73%
Published
2018-11-13
Updated
2020-10-08
In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.8.4, a user who can escalate to yarn user can possibly run arbitrary commands as root user.
Max CVSS
9.0
EPSS Score
0.24%
Published
2019-05-30
Updated
2020-10-08
Web endpoint authentication check is broken in Apache Hadoop 3.0.0-alpha4, 3.0.0-beta1, and 3.0.0. Authenticated users may impersonate any user even if no proxy user is configured.
Max CVSS
9.0
EPSS Score
0.08%
Published
2020-10-21
Updated
2022-06-03
In Apache Hadoop versions 3.0.0-alpha2 to 3.0.0, 2.9.0 to 2.9.2, 2.8.0 to 2.8.5, any users can access some servlets without authentication when Kerberos authentication is enabled and SPNEGO through HTTP is not enabled.
Max CVSS
7.5
EPSS Score
0.27%
Published
2020-09-30
Updated
2020-10-16
In Apache Hadoop 2.7.4 to 2.7.6, the security fix for CVE-2016-6811 is incomplete. A user who can escalate to yarn user can possibly run arbitrary commands as root user.
Max CVSS
9.0
EPSS Score
0.08%
Published
2018-11-27
Updated
2019-10-03
35 vulnerabilities found
1 2
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!