Lucene search

K

27 matches found

CVE
CVE
added 2022/08/04 3:15 p.m.747 views

CVE-2022-25168

Apache Hadoop's FileUtil.unTar(File, File) API does not escape the input file name before being passed to the shell. An attacker can inject arbitrary commands. This is only used in Hadoop 3.3 InMemoryAliasMap.completeBootstrapTransfer, which is only ever run by a local user. It has been used in Had...

9.8CVSS9.9AI score0.02753EPSS
CVE
CVE
added 2024/09/25 8:15 a.m.214 views

CVE-2024-23454

Apache Hadoop’s RunJar.run() does not set permissions for temporary directory by default. If sensitive data will be present in this file, all the other local users may be able to view the content.This is because, on unix-like systems, the system temporary directory isshared between all local users....

6.2CVSS6.1AI score0.0007EPSS
CVE
CVE
added 2022/04/07 7:15 p.m.202 views

CVE-2022-26612

In Apache Hadoop, The unTar function uses unTarUsingJava function on Windows and the built-in tar utility on Unix and other OSes. As a result, a TAR entry may create a symlink under the expected extraction directory which points to an external directory. A subsequent TAR entry may extract an arbitr...

9.8CVSS9.2AI score0.0015EPSS
CVE
CVE
added 2019/10/04 2:15 p.m.174 views

CVE-2018-11768

In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.0-alpha to 2.8.4, the user/group information can be corrupted across storing in fsimage and reading back from fsimage.

7.5CVSS7.2AI score0.03485EPSS
CVE
CVE
added 2019/05/30 4:29 p.m.127 views

CVE-2018-8029

In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.8.4, a user who can escalate to yarn user can possibly run arbitrary commands as root user.

9CVSS8.8AI score0.01759EPSS
CVE
CVE
added 2022/06/13 7:15 a.m.126 views

CVE-2021-37404

There is a potential heap buffer overflow in Apache Hadoop libhdfs native code. Opening a file path provided by user without validation may result in a denial of service or arbitrary code execution. Users should upgrade to Apache Hadoop 2.10.2, 3.2.3, 3.3.2 or higher.

9.8CVSS9.8AI score0.00534EPSS
CVE
CVE
added 2021/01/26 6:16 p.m.116 views

CVE-2020-9492

In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.0, WebHDFS client might send SPNEGO authorization header to remote URL without proper verification.

8.8CVSS8.4AI score0.00115EPSS
CVE
CVE
added 2022/06/15 3:15 p.m.109 views

CVE-2021-33036

In Apache Hadoop 2.2.0 to 2.10.1, 3.0.0-alpha1 to 3.1.4, 3.2.0 to 3.2.2, and 3.3.0 to 3.3.1, a user who can escalate to yarn user can possibly run arbitrary commands as root user. Users should upgrade to Apache Hadoop 2.10.2, 3.2.3, 3.3.2 or higher.

9CVSS9AI score0.01253EPSS
CVE
CVE
added 2018/01/19 5:29 p.m.101 views

CVE-2017-15713

Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and 3.0.0-alpha through 3.0.0-beta1 allows a cluster user to expose private files owned by the user running the MapReduce job history server process. The malicious user can construct a configuration file containing XML dir...

6.5CVSS6.7AI score0.00679EPSS
CVE
CVE
added 2018/11/13 9:29 p.m.97 views

CVE-2018-8009

Apache Hadoop 3.1.0, 3.0.0-alpha to 3.0.2, 2.9.0 to 2.9.1, 2.8.0 to 2.8.4, 2.0.0-alpha to 2.7.6, 0.23.0 to 0.23.11 is exploitable via the zip slip vulnerability in places that accept a zip file.

8.8CVSS8.3AI score0.07934EPSS
CVE
CVE
added 2018/01/24 2:29 p.m.93 views

CVE-2017-15718

The YARN NodeManager in Apache Hadoop 2.7.3 and 2.7.4 can leak the password for credential store provider used by the NodeManager to YARN Applications.

9.8CVSS9AI score0.0104EPSS
CVE
CVE
added 2017/04/26 8:59 p.m.92 views

CVE-2017-3162

HDFS clients interact with a servlet on the DataNode to browse the HDFS namespace. The NameNode is provided as a query parameter that is not validated in Apache Hadoop before 2.7.0.

7.5CVSS7AI score0.01018EPSS
CVE
CVE
added 2017/04/11 2:59 p.m.89 views

CVE-2016-6811

In Apache Hadoop 2.x before 2.7.4, a user who can escalate to yarn user can possibly run arbitrary commands as root user.

9CVSS8.7AI score0.00538EPSS
CVE
CVE
added 2022/08/25 2:15 p.m.88 views

CVE-2021-25642

ZKConfigurationStore which is optionally used by CapacityScheduler of Apache Hadoop YARN deserializes data obtained from ZooKeeper without validation. An attacker having access to ZooKeeper can run arbitrary commands as YARN user by exploiting this. Users should upgrade to Apache Hadoop 2.10.2, 3.2...

8.8CVSS8.8AI score0.00443EPSS
CVE
CVE
added 2020/09/30 6:15 p.m.86 views

CVE-2018-11765

In Apache Hadoop versions 3.0.0-alpha2 to 3.0.0, 2.9.0 to 2.9.2, 2.8.0 to 2.8.5, any users can access some servlets without authentication when Kerberos authentication is enabled and SPNEGO through HTTP is not enabled.

7.5CVSS7.6AI score0.01147EPSS
CVE
CVE
added 2017/11/13 2:29 p.m.85 views

CVE-2017-3166

In Apache Hadoop versions 2.6.1 to 2.6.5, 2.7.0 to 2.7.3, and 3.0.0-alpha1, if a file in an encryption zone with access permissions that make it world readable is localized via YARN's localization mechanism, that file will be stored in a world-readable location and can be shared freely with any app...

7.8CVSS7.4AI score0.00214EPSS
CVE
CVE
added 2023/11/16 9:15 a.m.84 views

CVE-2023-26031

Relative library resolution in linux container-executor binary in Apache Hadoop 3.3.1-3.3.4 on Linux allows local user to gain root privileges. If the YARN cluster is accepting work from remote (authenticated) users, this MAY permit remote users to gain root privileges. Hadoop 3.3.0 updated the " Y...

7.5CVSS7.7AI score0.12692EPSS
CVE
CVE
added 2019/02/07 10:29 p.m.82 views

CVE-2018-1296

In Apache Hadoop 3.0.0-alpha1 to 3.0.0, 2.9.0, 2.8.0 to 2.8.3, and 2.5.0 to 2.7.5, HDFS exposes extended attribute key/value pairs during listXAttrs, verifying only path-level search access to the directory rather than path-level read permission to the referent.

7.5CVSS7.3AI score0.00574EPSS
CVE
CVE
added 2018/11/27 2:29 p.m.78 views

CVE-2018-11766

In Apache Hadoop 2.7.4 to 2.7.6, the security fix for CVE-2016-6811 is incomplete. A user who can escalate to yarn user can possibly run arbitrary commands as root user.

9CVSS8.8AI score0.00712EPSS
CVE
CVE
added 2019/03/21 4:0 p.m.78 views

CVE-2018-11767

In Apache Hadoop 2.9.0 to 2.9.1, 2.8.3 to 2.8.4, 2.7.5 to 2.7.6, KMS blocking users or granting access to users incorrectly, if the system uses non-default groups mapping mechanisms.

7.4CVSS7.3AI score0.022EPSS
CVE
CVE
added 2017/09/05 1:29 p.m.77 views

CVE-2016-3086

The YARN NodeManager in Apache Hadoop 2.6.x before 2.6.5 and 2.7.x before 2.7.3 can leak the password for credential store provider used by the NodeManager to YARN Applications.

9.8CVSS9.3AI score0.00428EPSS
CVE
CVE
added 2017/04/26 8:59 p.m.75 views

CVE-2017-3161

The HDFS web UI in Apache Hadoop before 2.7.0 is vulnerable to a cross-site scripting (XSS) attack through an unescaped query parameter.

6.1CVSS5.9AI score0.02867EPSS
CVE
CVE
added 2017/10/30 7:29 p.m.73 views

CVE-2012-4449

Apache Hadoop before 0.23.4, 1.x before 1.0.4, and 2.x before 2.0.2 generate token passwords using a 20-bit secret when Kerberos security features are enabled, which makes it easier for context-dependent attackers to crack secret keys via a brute-force attack.

9.8CVSS9.3AI score0.00477EPSS
CVE
CVE
added 2017/08/30 7:29 p.m.71 views

CVE-2016-5001

This is an information disclosure vulnerability in Apache Hadoop before 2.6.4 and 2.7.x before 2.7.2 in the short-circuit reads feature of HDFS. A local user on an HDFS DataNode may be able to craft a block token that grants unauthorized read access to random files by guessing certain fields in the...

5.5CVSS5AI score0.00118EPSS
CVE
CVE
added 2020/10/21 7:15 p.m.70 views

CVE-2018-11764

Web endpoint authentication check is broken in Apache Hadoop 3.0.0-alpha4, 3.0.0-beta1, and 3.0.0. Authenticated users may impersonate any user even if no proxy user is configured.

9CVSS8.7AI score0.00185EPSS
CVE
CVE
added 2017/06/05 1:29 a.m.63 views

CVE-2017-7669

In Apache Hadoop 2.8.0, 3.0.0-alpha1, and 3.0.0-alpha2, the LinuxContainerExecutor runs docker commands as root with insufficient input validation. When the docker feature is enabled, authenticated users can run commands as root.

8.5CVSS7.5AI score0.00298EPSS
CVE
CVE
added 2016/11/29 6:59 a.m.57 views

CVE-2016-5393

In Apache Hadoop 2.6.x before 2.6.5 and 2.7.x before 2.7.3, a remote user who can authenticate with the HDFS NameNode can possibly run arbitrary commands with the same privileges as the HDFS service.

8.8CVSS8.8AI score0.02585EPSS