Hadoop@3.0.0 Security Vulnerabilities and Issues — Hadoop@3.0.0 CVE List

Lucene search

ApacheHadoop3.0.0

10 matches found

CVE•added 2019/10/04 2:15 p.m.•174 views

CVE-2018-11768

In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.0-alpha to 2.8.4, the user/group information can be corrupted across storing in fsimage and reading back from fsimage.

7.5CVSS7.2AI score0.03485EPSS

CVE•added 2019/05/30 4:29 p.m.•127 views

CVE-2018-8029

In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.8.4, a user who can escalate to yarn user can possibly run arbitrary commands as root user.

9CVSS8.8AI score0.01759EPSS

CVE•added 2022/06/15 3:15 p.m.•109 views

CVE-2021-33036

In Apache Hadoop 2.2.0 to 2.10.1, 3.0.0-alpha1 to 3.1.4, 3.2.0 to 3.2.2, and 3.3.0 to 3.3.1, a user who can escalate to yarn user can possibly run arbitrary commands as root user. Users should upgrade to Apache Hadoop 2.10.2, 3.2.3, 3.3.2 or higher.

9CVSS9AI score0.01253EPSS

CVE•added 2018/01/19 5:29 p.m.•101 views

CVE-2017-15713

Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and 3.0.0-alpha through 3.0.0-beta1 allows a cluster user to expose private files owned by the user running the MapReduce job history server process. The malicious user can construct a configuration file containing XML dir...

6.5CVSS6.7AI score0.00679EPSS

CVE•added 2018/11/13 9:29 p.m.•97 views

CVE-2018-8009

Apache Hadoop 3.1.0, 3.0.0-alpha to 3.0.2, 2.9.0 to 2.9.1, 2.8.0 to 2.8.4, 2.0.0-alpha to 2.7.6, 0.23.0 to 0.23.11 is exploitable via the zip slip vulnerability in places that accept a zip file.

8.8CVSS8.3AI score0.13152EPSS

CVE•added 2020/09/30 6:15 p.m.•86 views

CVE-2018-11765

In Apache Hadoop versions 3.0.0-alpha2 to 3.0.0, 2.9.0 to 2.9.2, 2.8.0 to 2.8.5, any users can access some servlets without authentication when Kerberos authentication is enabled and SPNEGO through HTTP is not enabled.

7.5CVSS7.6AI score0.01147EPSS

CVE•added 2017/11/13 2:29 p.m.•85 views

CVE-2017-3166

In Apache Hadoop versions 2.6.1 to 2.6.5, 2.7.0 to 2.7.3, and 3.0.0-alpha1, if a file in an encryption zone with access permissions that make it world readable is localized via YARN's localization mechanism, that file will be stored in a world-readable location and can be shared freely with any app...

7.8CVSS7.4AI score0.00214EPSS

CVE•added 2019/02/07 10:29 p.m.•82 views

CVE-2018-1296

In Apache Hadoop 3.0.0-alpha1 to 3.0.0, 2.9.0, 2.8.0 to 2.8.3, and 2.5.0 to 2.7.5, HDFS exposes extended attribute key/value pairs during listXAttrs, verifying only path-level search access to the directory rather than path-level read permission to the referent.

7.5CVSS7.3AI score0.00574EPSS

CVE•added 2020/10/21 7:15 p.m.•70 views

CVE-2018-11764

Web endpoint authentication check is broken in Apache Hadoop 3.0.0-alpha4, 3.0.0-beta1, and 3.0.0. Authenticated users may impersonate any user even if no proxy user is configured.

9CVSS8.7AI score0.00185EPSS

CVE•added 2017/06/05 1:29 a.m.•63 views

CVE-2017-7669

In Apache Hadoop 2.8.0, 3.0.0-alpha1, and 3.0.0-alpha2, the LinuxContainerExecutor runs docker commands as root with insufficient input validation. When the docker feature is enabled, authenticated users can run commands as root.

8.5CVSS7.5AI score0.00298EPSS