Lucene search
GitHub Advisory DatabaseGHSA-JPMF-8CJ2-595GHistoryMay 17, 2022 - 4:20 a.m.
Improper Link Resolution Before File Access in Apache Hadoop
2022-05-1704:20:31
CWE-59
GitHub Advisory Database
github.com
9
5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
0.001 Low
EPSS
Percentile
44.3%
The YARN NodeManager daemon in Apache Hadoop 0.23.0 through 0.23.11 and 2.x before 2.5.2, when using Kerberos authentication, allows remote cluster users to change the permissions of certain files to world-readable via a symlink attack in a public tar archive, which is not properly handled during localization, related to distributed cache.
Affected configurations
Node
org.apache.hadoop\hadoopMatchclient
ORorg.apache.hadoop\hadoopMatchclient
ORorg.apache.hadoop\hadoopMatchclient
| CPE | Name | Operator | Version |
|---|---|---|---|
| org.apache.hadoop:hadoop-client | lt | 2.5.2 | |
| org.apache.hadoop:hadoop-client | ge | 0.23.0 | |
| org.apache.hadoop:hadoop-client | lt | 1.0.1 |
Related
veracode
veracode
File Permission Manipulation Via Symlink Attack
2018-03-22 02:07:23
cve
cve
CVE-2014-3627
2014-12-05 16:59:04
nvd
nvd
CVE-2014-3627
2014-12-05 16:59:04
cvelist
cvelist
CVE-2014-3627
2014-12-05 16:00:00
osv
osv
Improper Link Resolution Before File Access in Apache Hadoop
2022-05-17 04:20:31
prion
prion
Authentication flaw
2014-12-05 16:59:00
5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
0.001 Low
EPSS
Percentile
44.3%
Related for GHSA-JPMF-8CJ2-595G