37 matches found
CVE-2022-25168
CVE-2022-25168 affects Apache Hadoop's FileUtil.unTar(File, File) API, which does not escape the input file name before passing it to the shell. This enables command injection. In Hadoop, this vulnerability has been identified in the InMemoryAliasMap.bootstrap transfer path (local user context), ...
CVE-2019-17195
IBM’s security bulletin for IBM Robotic Process Automation for Cloud Pak identifies CVE-2019-17195 as Nimbus JOSE+JWT vulnerability (uncaught JWT parsing exceptions) that could crash the application or leak information. Affected product: IBM Robotic Process Automation for Cloud Pak versions prior...
CVE-2024-23454
CVE-2024-23454 pertains to Apache Hadoop where RunJar.run() may create temporary files without explicitly setting POSIX permissions. The issue arises because on Unix-like systems the system temp directory is shared among local users, so if the program writes data without proper permissions, other...
CVE-2022-26612
CVE-2022-26612 affects Apache Hadoop. The vulnerability arises during TAR extraction: Hadoop’s unTar uses unTarUsingJava on Windows and the built-in tar utility on other OSes, allowing a TAR entry to create a symlink pointing outside the extraction directory. A following TAR entry can write arbit...
CVE-2018-11768
CVE-2018-11768 affects Apache Hadoop versions: 3.1.0–3.1.1, 3.0.0-alpha1–3.0.3, 2.9.0–2.9.1, and 2.0.0-alpha–2.8.4. The vulnerability is caused by a mismatch in the size of the fields used to store user/group information between memory and disk representations in fsimage, allowing a remote attack...
CVE-2020-9492
CVE-2020-9492 : In Hadoop, the WebHDFS client may send a SPNEGO authorization header to a remote URL without proper verification. Affected are Hadoop releases: 3.2.0–3.2.1, 3.0.0-alpha1–3.1.3, and 2.0.0-alpha–2.10.0. The description in the initial document directly states the header could be sent...
CVE-2021-37404
CVE-2021-37404 describes a potential heap buffer overflow in Apache Hadoop’s libhdfs native code. Opening a file path supplied by a user without proper validation may lead to a denial of service or arbitrary code execution. The description specifies vulnerable software and versions and provides f...
CVE-2018-8029
CVE-2018-8029 affects Apache Hadoop: versions 3.0.0-alpha1 through 3.1.0, 2.9.0 through 2.9.1, and 2.2.0 through 2.8.4 are vulnerable. A user who can escalate to the yarn user could potentially run arbitrary commands as root. Connected sources (IBM security bulletin, Red Hat security note, and OS...
CVE-2021-33036
CVE-2021-33036 affects Apache Hadoop (versions 2.2.0–2.10.1, 3.0.0–3.1.4, 3.2.0–3.2.2, 3.3.0–3.3.1). The issue arises from improper permission handling that could let an authenticated user who escalates to the yarn user run arbitrary commands with root privileges. The impact is elevated privilege...
CVE-2018-8009
CVE-2018-8009 (Zip-Slip) affects Apache Hadoop and is linked in related IBM advisories to IBM Cloud Pak for Multicloud Management Monitoring. The vulnerability lets an attacker traverse directories by extracting a malicious ZIP (../ sequences) and may enable writing arbitrary files. Affected Hado...
CVE-2016-6811
CVE-2016-6811 affects Apache Hadoop 2.x prior to 2.7.4, enabling a user who can escalate to the yarn user to execute arbitrary commands with root privileges. Connected sources confirm this as a privileged‑execution issue in Hadoop/YARN, with public discourse noting patch timelines (Fedora/RHEL ad...
CVE-2017-15713
CVE-2017-15713 affects Apache Hadoop components (0.23.x, 2.x <2.7.5, 2.8.x
CVE-2021-25642
CVE-2021-25642 : Hadoop YARN’s CapacityScheduler can be exploited via ZKConfigurationStore, which deserializes data from ZooKeeper without validation. An attacker with ZooKeeper access can execute arbitrary commands as the YARN user. Affected Hadoop versions require upgrading to 2.10.2, 3.2.4, or...
CVE-2017-3162
Apache Hadoop CVE-2017-3162: A vulnerability in the HDFS namespace browsing flow where the DataNode servlet accepts a NameNode URL as a query parameter without validation, allowing an attacker to bypass security restrictions. Affected software includes Hadoop versions prior to 2.7.0; the issue st...
CVE-2017-15718
CVE-2017-15718 affects Apache Hadoop, specifically the YARN NodeManager in Hadoop 2.7.3 and 2.7.4, which can leak the password for the NodeManager credential store provider to YARN Applications. The vulnerability is an information disclosure in the NodeManager component that could expose credenti...
CVE-2023-26031
CVE-2023-26031 affects Apache Hadoop 3.3.1–3.3.4 on Linux, via the container-executor binary. The root cause is a library runpath/RPATH configuration change that allows loading a modified libcrypto from a writeable path (RUNPATH: [$ORIGIN/:../lib/native/]), enabling a local user to escalate to ro...
CVE-2018-1296
CVE-2018-1296 : In Hadoop, HDFS exposes extended attribute key/value pairs during listXAttrs, due to verifying only path-level search access rather than path-level read permission to the referent. This can allow access to encryption secrets and other sensitive attributes. Affected: Apache Hadoop ...
CVE-2017-3166
CVE-2017-3166 affects Apache Hadoop: if a file in an encryption zone is world-readable and localized via YARN localization, it can be stored in a world-readable location and shared with any requesting application. Affected Hadoop versions per the document: 2.6.1–2.6.5, 2.7.0–2.7.3, and 3.0.0-alph...
CVE-2018-11765
CVE-2018-11765 – Hadoop web-UI auth bypass (CONCRETE DETAILS) Affected software: Apache Hadoop 3.0.0-alpha2 to 3.0.0, 2.9.0 to 2.9.2, and 2.8.0 to 2.8.5. The vulnerability arises in the web interfaces when Kerberos authentication is enabled and SPNEGO over HTTP is not enabled. What is affected: a...
CVE-2016-3086
CVE-2016-3086 affects Apache Hadoop’s YARN NodeManager. Affected are Hadoop 2.6.x before 2.6.5 and 2.7.x before 2.7.3, where a flaw in the NodeManager can leak the password for the credential store provider to YARN applications. Root cause is a credential store/password handling flaw in the NodeM...
CVE-2018-11767
CVE-2018-11767 affects Apache Hadoop KMS ACL handling, causing blocking or incorrect access decisions when non-default group mapping is used. Affected releases include Hadoop 2.9.0–2.9.1, 2.8.3–2.8.4, and 2.7.5–2.7.6. Remediation/advisories reference vendor fixes (e.g., Cloudera Runtime 7.1.9.x h...
CVE-2018-11766
CVE-2018-11766 affects Apache Hadoop 2.7.4–2.7.6; the security fix for CVE-2016-6811 is incomplete, allowing a user who can escalate to the yarn user to possibly execute arbitrary commands as root. The IBM bulletin lists a base score of 8.4 (high) and confirms the vulnerable scenario but does not...
CVE-2016-5001
CVE-2016-5001 affects Apache Hadoop before 2.6.4 and 2.7.x before 2.7.2, in the HDFS short-circuit reads feature. Root cause: a flaw in the token-based access control that lets a local DataNode user craft a block token to read arbitrary files. Impact: information disclosure (unauthorized read acc...
CVE-2017-3161
CVE-2017-3161 affects Apache Hadoop’s HDFS web UI (pre-2.7.0). The vulnerability is a cross-site scripting flaw caused by an unescaped query parameter, enabling a remote attacker to run scripts in the victim’s browser (potential cookie theft) via specially crafted URLs. The connected documents co...
CVE-2012-4449
CVE-2012-4449 affects Apache Hadoop: prior to 0.23.4, 1.x prior to 1.0.4, and 2.x prior to 2.0.2, token passwords are generated using a 20‑bit secret when Kerberos security features are enabled. This weak secret can be brute‑force cracked, enabling context‑dependent attackers to compromise secret...
CVE-2017-7669
CVE-2017-7669 affects Apache Hadoop where the LinuxContainerExecutor runs docker commands as root when the docker feature is enabled, due to insufficient input validation. Affected versions include Hadoop 2.8.0 and 3.0.0-alpha1/alpha2; authenticated users could execute commands as root. The issue...
CVE-2018-11764
CVE-2018-11764 concerns Hadoop where the web endpoint authentication check is broken. The vulnerability affects Apache Hadoop 3.0.0-alpha4, 3.0.0-beta1, and 3.0.0, enabling an authenticated user to impersonate any user even without a configured proxy user. The root cause is a flawed authenticatio...
CVE-2013-2192
The CVE-2013-2192 issue affects Apache Hadoop RPC with Kerberos enabled, where an attacker can perform a MITM by downgrading to simple authentication, compromising confidentiality and integrity. Affected ranges are Hadoop 2.x before 2.0.6-alpha, 0.23.x before 0.23.9, and 1.x before 1.2.1. Remedia...
CVE-2016-5393
CVE-2016-5393 : Apache Hadoop 2.6.x before 2.6.5 and 2.7.x before 2.7.3 allows a remote user who can authenticate with the HDFS NameNode to run arbitrary commands with the same privileges as the HDFS service. This is a remote-authenticated command-execution risk affecting Hadoop’s HDFS component;...
CVE-2025-27821
Summary: CVE-2025-27821 is an out-of-bounds write vulnerability in the Apache Hadoop HDFS native client, specifically in the URI parser. The issue affects Hadoop 3.2.0 up to, but not including, 3.4.2. Multiple sources (NVD, Red Hat, OSV, GHSA, CVE list, Snyk, and others) describe the same flaw an...
CVE-2012-2945
The provided documents confirm a concrete vulnerability in Hadoop 1.0.3 described as a symlink vulnerability caused by storing PID files in the shared /tmp directory by default. Public details show a symlink from /tmp/hadoop-root-tasktracker.pid pointing to /etc/passwd- (local file-system symlink...
CVE-2015-1776
The CVE-2015-1776 issue affects Apache Hadoop 2.6.x where, when the Intermediate data encryption feature is enabled, intermediate data and the encryption key are stored together in a credentials file on disk. This design allows local users to read sensitive information from the credentials file, ...
CVE-2012-1574
CVE-2012-1574 affects Apache Hadoop’s Kerberos/MapReduce security, enabling remote authenticated users to impersonate arbitrary cluster user accounts. Affected versions include Hadoop 0.20.203.0–0.20.205.0, 0.23.x before 0.23.2, and 1.0.x before 1.0.2 (as deployed in Cloudera CDH CDH3u0–CDH3u2, a...
CVE-2014-0229
Apache Hadoop 0.23.x before 0.23.11 and 2.x before 2.4.1 (and Cloudera CDH 5.0.x before 5.0.2) fail to check authorization for HDFS admin commands refreshNamenodes, deleteBlockPool, and shutdownDatanode. This allows remote authenticated users to cause DataNodes to shut down or perform unnecessary...
CVE-2012-3376
CVE-2012-3376 affects Hadoop 2.0.0-alpha where DataNodes do not check BlockTokens for clients when Kerberos is enabled and a DataNode has registered multiple times for the same BlockPool. This can allow remote clients to read arbitrary blocks or write to blocks they only have read access to, amon...
CVE-2014-3627
CVE-2014-3627 affects the YARN NodeManager in Apache Hadoop (versions 0.23.0–0.23.11 and 2.x prior to 2.5.2). The root cause is a symlink/localization handling issue in the distributed cache within a public tar archive when Kerberos authentication is used, enabling remote cluster users to change ...
CVE-2015-7430
The IBM Spectrum Scale (GPFS) Hadoop Connector is affected by CVE-2015-7430, impacting versions 1.1.1, 2.4, 2.5, and 2.7.0-0 through 2.7.0-2. An unprivileged user could read, write, modify, or delete GPFS data via unspecified vectors. The issue is mitigated by upgrading to version 2.7.0-3. IBM pr...