Lucene search
K
ApacheHadoop

37 matches found

CVE
CVE
added 2022/08/04 2:30 p.m.781 views

CVE-2022-25168

CVE-2022-25168 affects Apache Hadoop's FileUtil.unTar(File, File) API, which does not escape the input file name before passing it to the shell. This enables command injection. In Hadoop, this vulnerability has been identified in the InMemoryAliasMap.bootstrap transfer path (local user context), ...

9.8CVSS9.9AI score0.03259EPSS
CVE
CVE
added 2019/10/15 1:42 p.m.328 views

CVE-2019-17195

IBM’s security bulletin for IBM Robotic Process Automation for Cloud Pak identifies CVE-2019-17195 as Nimbus JOSE+JWT vulnerability (uncaught JWT parsing exceptions) that could crash the application or leak information. Affected product: IBM Robotic Process Automation for Cloud Pak versions prior...

9.8CVSS9.2AI score0.11032EPSS
CVE
CVE
added 2024/09/25 7:45 a.m.312 views

CVE-2024-23454

CVE-2024-23454 pertains to Apache Hadoop where RunJar.run() may create temporary files without explicitly setting POSIX permissions. The issue arises because on Unix-like systems the system temp directory is shared among local users, so if the program writes data without proper permissions, other...

6.2CVSS6.1AI score0.00383EPSS
CVE
CVE
added 2022/04/07 6:20 p.m.236 views

CVE-2022-26612

CVE-2022-26612 affects Apache Hadoop. The vulnerability arises during TAR extraction: Hadoop’s unTar uses unTarUsingJava on Windows and the built-in tar utility on other OSes, allowing a TAR entry to create a symlink pointing outside the extraction directory. A following TAR entry can write arbit...

9.8CVSS9.2AI score0.04292EPSS
CVE
CVE
added 2019/10/04 1:56 p.m.193 views

CVE-2018-11768

CVE-2018-11768 affects Apache Hadoop versions: 3.1.0–3.1.1, 3.0.0-alpha1–3.0.3, 2.9.0–2.9.1, and 2.0.0-alpha–2.8.4. The vulnerability is caused by a mismatch in the size of the fields used to store user/group information between memory and disk representations in fsimage, allowing a remote attack...

7.5CVSS7.2AI score0.06554EPSS
CVE
CVE
added 2021/01/26 12:55 p.m.163 views

CVE-2020-9492

CVE-2020-9492 : In Hadoop, the WebHDFS client may send a SPNEGO authorization header to a remote URL without proper verification. Affected are Hadoop releases: 3.2.0–3.2.1, 3.0.0-alpha1–3.1.3, and 2.0.0-alpha–2.10.0. The description in the initial document directly states the header could be sent...

8.8CVSS8.4AI score0.04403EPSS
CVE
CVE
added 2022/06/13 7:0 a.m.158 views

CVE-2021-37404

CVE-2021-37404 describes a potential heap buffer overflow in Apache Hadoop’s libhdfs native code. Opening a file path supplied by a user without proper validation may lead to a denial of service or arbitrary code execution. The description specifies vulnerable software and versions and provides f...

9.8CVSS9.8AI score0.02885EPSS
CVE
CVE
added 2019/05/30 3:15 p.m.145 views

CVE-2018-8029

CVE-2018-8029 affects Apache Hadoop: versions 3.0.0-alpha1 through 3.1.0, 2.9.0 through 2.9.1, and 2.2.0 through 2.8.4 are vulnerable. A user who can escalate to the yarn user could potentially run arbitrary commands as root. Connected sources (IBM security bulletin, Red Hat security note, and OS...

9CVSS8.8AI score0.03982EPSS
CVE
CVE
added 2022/06/15 2:25 p.m.139 views

CVE-2021-33036

CVE-2021-33036 affects Apache Hadoop (versions 2.2.0–2.10.1, 3.0.0–3.1.4, 3.2.0–3.2.2, 3.3.0–3.3.1). The issue arises from improper permission handling that could let an authenticated user who escalates to the yarn user run arbitrary commands with root privileges. The impact is elevated privilege...

9CVSS9AI score0.03227EPSS
CVE
CVE
added 2018/11/13 9:0 p.m.128 views

CVE-2018-8009

CVE-2018-8009 (Zip-Slip) affects Apache Hadoop and is linked in related IBM advisories to IBM Cloud Pak for Multicloud Management Monitoring. The vulnerability lets an attacker traverse directories by extracting a malicious ZIP (../ sequences) and may enable writing arbitrary files. Affected Hado...

8.8CVSS8.3AI score0.07577EPSS
CVE
CVE
added 2017/04/11 2:0 p.m.119 views

CVE-2016-6811

CVE-2016-6811 affects Apache Hadoop 2.x prior to 2.7.4, enabling a user who can escalate to the yarn user to execute arbitrary commands with root privileges. Connected sources confirm this as a privileged‑execution issue in Hadoop/YARN, with public discourse noting patch timelines (Fedora/RHEL ad...

9CVSS8.7AI score0.0262EPSS
CVE
CVE
added 2018/01/19 5:0 p.m.117 views

CVE-2017-15713

CVE-2017-15713 affects Apache Hadoop components (0.23.x, 2.x <2.7.5, 2.8.x

6.5CVSS6.7AI score0.0221EPSS
CVE
CVE
added 2022/08/25 12:0 a.m.113 views

CVE-2021-25642

CVE-2021-25642 : Hadoop YARN’s CapacityScheduler can be exploited via ZKConfigurationStore, which deserializes data from ZooKeeper without validation. An attacker with ZooKeeper access can execute arbitrary commands as the YARN user. Affected Hadoop versions require upgrading to 2.10.2, 3.2.4, or...

8.8CVSS8.8AI score0.0182EPSS
CVE
CVE
added 2017/04/26 8:0 p.m.111 views

CVE-2017-3162

Apache Hadoop CVE-2017-3162: A vulnerability in the HDFS namespace browsing flow where the DataNode servlet accepts a NameNode URL as a query parameter without validation, allowing an attacker to bypass security restrictions. Affected software includes Hadoop versions prior to 2.7.0; the issue st...

7.5CVSS7AI score0.062EPSS
CVE
CVE
added 2018/01/24 2:0 p.m.110 views

CVE-2017-15718

CVE-2017-15718 affects Apache Hadoop, specifically the YARN NodeManager in Hadoop 2.7.3 and 2.7.4, which can leak the password for the NodeManager credential store provider to YARN Applications. The vulnerability is an information disclosure in the NodeManager component that could expose credenti...

9.8CVSS9AI score0.03635EPSS
CVE
CVE
added 2023/11/16 8:15 a.m.108 views

CVE-2023-26031

CVE-2023-26031 affects Apache Hadoop 3.3.1–3.3.4 on Linux, via the container-executor binary. The root cause is a library runpath/RPATH configuration change that allows loading a modified libcrypto from a writeable path (RUNPATH: [$ORIGIN/:../lib/native/]), enabling a local user to escalate to ro...

7.5CVSS7.7AI score0.02089EPSS
CVE
CVE
added 2019/02/07 10:0 p.m.105 views

CVE-2018-1296

CVE-2018-1296 : In Hadoop, HDFS exposes extended attribute key/value pairs during listXAttrs, due to verifying only path-level search access rather than path-level read permission to the referent. This can allow access to encryption secrets and other sensitive attributes. Affected: Apache Hadoop ...

7.5CVSS7.3AI score0.03299EPSS
CVE
CVE
added 2017/11/13 2:0 p.m.102 views

CVE-2017-3166

CVE-2017-3166 affects Apache Hadoop: if a file in an encryption zone is world-readable and localized via YARN localization, it can be stored in a world-readable location and shared with any requesting application. Affected Hadoop versions per the document: 2.6.1–2.6.5, 2.7.0–2.7.3, and 3.0.0-alph...

7.8CVSS7.4AI score0.00347EPSS
CVE
CVE
added 2020/09/30 5:2 p.m.101 views

CVE-2018-11765

CVE-2018-11765 – Hadoop web-UI auth bypass (CONCRETE DETAILS) Affected software: Apache Hadoop 3.0.0-alpha2 to 3.0.0, 2.9.0 to 2.9.2, and 2.8.0 to 2.8.5. The vulnerability arises in the web interfaces when Kerberos authentication is enabled and SPNEGO over HTTP is not enabled. What is affected: a...

7.5CVSS7.6AI score0.05207EPSS
CVE
CVE
added 2017/09/05 1:0 p.m.96 views

CVE-2016-3086

CVE-2016-3086 affects Apache Hadoop’s YARN NodeManager. Affected are Hadoop 2.6.x before 2.6.5 and 2.7.x before 2.7.3, where a flaw in the NodeManager can leak the password for the credential store provider to YARN applications. Root cause is a credential store/password handling flaw in the NodeM...

9.8CVSS9.3AI score0.03616EPSS
CVE
CVE
added 2019/03/18 1:41 p.m.95 views

CVE-2018-11767

CVE-2018-11767 affects Apache Hadoop KMS ACL handling, causing blocking or incorrect access decisions when non-default group mapping is used. Affected releases include Hadoop 2.9.0–2.9.1, 2.8.3–2.8.4, and 2.7.5–2.7.6. Remediation/advisories reference vendor fixes (e.g., Cloudera Runtime 7.1.9.x h...

7.4CVSS7.3AI score0.03726EPSS
CVE
CVE
added 2018/11/27 2:0 p.m.93 views

CVE-2018-11766

CVE-2018-11766 affects Apache Hadoop 2.7.4–2.7.6; the security fix for CVE-2016-6811 is incomplete, allowing a user who can escalate to the yarn user to possibly execute arbitrary commands as root. The IBM bulletin lists a base score of 8.4 (high) and confirms the vulnerable scenario but does not...

9CVSS8.8AI score0.03244EPSS
CVE
CVE
added 2017/08/30 7:0 p.m.92 views

CVE-2016-5001

CVE-2016-5001 affects Apache Hadoop before 2.6.4 and 2.7.x before 2.7.2, in the HDFS short-circuit reads feature. Root cause: a flaw in the token-based access control that lets a local DataNode user craft a block token to read arbitrary files. Impact: information disclosure (unauthorized read acc...

5.5CVSS5AI score0.00631EPSS
CVE
CVE
added 2017/04/26 8:0 p.m.92 views

CVE-2017-3161

CVE-2017-3161 affects Apache Hadoop’s HDFS web UI (pre-2.7.0). The vulnerability is a cross-site scripting flaw caused by an unescaped query parameter, enabling a remote attacker to run scripts in the victim’s browser (potential cookie theft) via specially crafted URLs. The connected documents co...

6.1CVSS5.9AI score0.03838EPSS
CVE
CVE
added 2017/10/30 7:0 p.m.89 views

CVE-2012-4449

CVE-2012-4449 affects Apache Hadoop: prior to 0.23.4, 1.x prior to 1.0.4, and 2.x prior to 2.0.2, token passwords are generated using a 20‑bit secret when Kerberos security features are enabled. This weak secret can be brute‑force cracked, enabling context‑dependent attackers to compromise secret...

9.8CVSS9.3AI score0.01201EPSS
CVE
CVE
added 2017/06/02 5:0 p.m.89 views

CVE-2017-7669

CVE-2017-7669 affects Apache Hadoop where the LinuxContainerExecutor runs docker commands as root when the docker feature is enabled, due to insufficient input validation. Affected versions include Hadoop 2.8.0 and 3.0.0-alpha1/alpha2; authenticated users could execute commands as root. The issue...

8.5CVSS7.5AI score0.01795EPSS
CVE
CVE
added 2020/10/21 6:13 p.m.87 views

CVE-2018-11764

CVE-2018-11764 concerns Hadoop where the web endpoint authentication check is broken. The vulnerability affects Apache Hadoop 3.0.0-alpha4, 3.0.0-beta1, and 3.0.0, enabling an authenticated user to impersonate any user even without a configured proxy user. The root cause is a flawed authenticatio...

9CVSS8.7AI score0.02365EPSS
CVE
CVE
added 2014/01/24 6:0 p.m.81 views

CVE-2013-2192

The CVE-2013-2192 issue affects Apache Hadoop RPC with Kerberos enabled, where an attacker can perform a MITM by downgrading to simple authentication, compromising confidentiality and integrity. Affected ranges are Hadoop 2.x before 2.0.6-alpha, 0.23.x before 0.23.9, and 1.x before 1.2.1. Remedia...

3.2CVSS5.2AI score0.01069EPSS
CVE
CVE
added 2016/11/29 6:0 a.m.77 views

CVE-2016-5393

CVE-2016-5393 : Apache Hadoop 2.6.x before 2.6.5 and 2.7.x before 2.7.3 allows a remote user who can authenticate with the HDFS NameNode to run arbitrary commands with the same privileges as the HDFS service. This is a remote-authenticated command-execution risk affecting Hadoop’s HDFS component;...

8.8CVSS8.8AI score0.03141EPSS
CVE
CVE
added 2026/01/26 9:44 a.m.75 views

CVE-2025-27821

Summary: CVE-2025-27821 is an out-of-bounds write vulnerability in the Apache Hadoop HDFS native client, specifically in the URI parser. The issue affects Hadoop 3.2.0 up to, but not including, 3.4.2. Multiple sources (NVD, Red Hat, OSV, GHSA, CVE list, Snyk, and others) describe the same flaw an...

7.3CVSS5.8AI score0.00862EPSS
CVE
CVE
added 2019/10/28 8:31 p.m.74 views

CVE-2012-2945

The provided documents confirm a concrete vulnerability in Hadoop 1.0.3 described as a symlink vulnerability caused by storing PID files in the shared /tmp directory by default. Public details show a symlink from /tmp/hadoop-root-tasktracker.pid pointing to /etc/passwd- (local file-system symlink...

7.5CVSS7.5AI score0.02671EPSS
CVE
CVE
added 2016/04/19 9:0 p.m.74 views

CVE-2015-1776

The CVE-2015-1776 issue affects Apache Hadoop 2.6.x where, when the Intermediate data encryption feature is enabled, intermediate data and the encryption key are stored together in a credentials file on disk. This design allows local users to read sensitive information from the credentials file, ...

6.2CVSS5.8AI score0.00318EPSS
CVE
CVE
added 2012/04/12 10:0 a.m.71 views

CVE-2012-1574

CVE-2012-1574 affects Apache Hadoop’s Kerberos/MapReduce security, enabling remote authenticated users to impersonate arbitrary cluster user accounts. Affected versions include Hadoop 0.20.203.0–0.20.205.0, 0.23.x before 0.23.2, and 1.0.x before 1.0.2 (as deployed in Cloudera CDH CDH3u0–CDH3u2, a...

6.5CVSS6.4AI score0.04827EPSS
CVE
CVE
added 2017/03/23 8:0 p.m.70 views

CVE-2014-0229

Apache Hadoop 0.23.x before 0.23.11 and 2.x before 2.4.1 (and Cloudera CDH 5.0.x before 5.0.2) fail to check authorization for HDFS admin commands refreshNamenodes, deleteBlockPool, and shutdownDatanode. This allows remote authenticated users to cause DataNodes to shut down or perform unnecessary...

6.5CVSS6.4AI score0.01591EPSS
CVE
CVE
added 2012/07/12 7:0 p.m.67 views

CVE-2012-3376

CVE-2012-3376 affects Hadoop 2.0.0-alpha where DataNodes do not check BlockTokens for clients when Kerberos is enabled and a DataNode has registered multiple times for the same BlockPool. This can allow remote clients to read arbitrary blocks or write to blocks they only have read access to, amon...

7.5CVSS6.7AI score0.02655EPSS
CVE
CVE
added 2014/12/05 4:0 p.m.65 views

CVE-2014-3627

CVE-2014-3627 affects the YARN NodeManager in Apache Hadoop (versions 0.23.0–0.23.11 and 2.x prior to 2.5.2). The root cause is a symlink/localization handling issue in the distributed cache within a public tar archive when Kerberos authentication is used, enabling remote cluster users to change ...

5CVSS8.4AI score0.03003EPSS
CVE
CVE
added 2016/01/02 9:0 p.m.55 views

CVE-2015-7430

The IBM Spectrum Scale (GPFS) Hadoop Connector is affected by CVE-2015-7430, impacting versions 1.1.1, 2.4, 2.5, and 2.7.0-0 through 2.7.0-2. An unprivileged user could read, write, modify, or delete GPFS data via unspecified vectors. The issue is mitigated by upgrading to version 2.7.0-3. IBM pr...

8.4CVSS7.8AI score0.00507EPSS