Lucene search

GitHub Advisory DatabaseGHSA-P435-W4XM-JJ8X

HistoryFeb 06, 2022 - 12:01 a.m.

Hadoop token in temp file visible to all users in Apache Gobblin

2022-02-0600:01:07

CWE-200

GitHub Advisory Database

github.com

2.1 Low

CVSS2

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:L/AC:L/Au:N/C:P/I:N/A:N

5.5 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

0.0004 Low

EPSS

Percentile

5.1%

JSON

In Apache Gobblin, the Hadoop token is written to a temp file that is visible to all local users on Unix-like systems. This affects versions <= 0.15.0. Users should update to version 0.16.0 which addresses this issue.

Affected configurations

Vulners

Node

org.apache.gobblin\gobblinMatchcore

CPENameOperatorVersion
org.apache.gobblin:gobblin-corelt0.16.0

CPE	Name	Operator	Version
	org.apache.gobblin:gobblin-core	lt	0.16.0

References

github.com/advisories/GHSA-p435-w4xm-jj8x

lists.apache.org/thread/3cdkyxdd6xk05lsvr3l66dsnvhwyo1t0

nvd.nist.gov/vuln/detail/CVE-2021-36151

2.1 Low

CVSS2

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:L/AC:L/Au:N/C:P/I:N/A:N

5.5 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

0.0004 Low

EPSS

Percentile

5.1%

JSON

Related for GHSA-P435-W4XM-JJ8X