Hadoop Security Vulnerabilities and Issues — Hadoop CVE List

Lucene search

ApacheHadoop

9 matches found

CVE•added 2019/10/04 2:15 p.m.•174 views

CVE-2018-11768

In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.0-alpha to 2.8.4, the user/group information can be corrupted across storing in fsimage and reading back from fsimage.

7.5CVSS7.2AI score0.03485EPSS

CVE•added 2017/04/26 8:59 p.m.•92 views

CVE-2017-3162

HDFS clients interact with a servlet on the DataNode to browse the HDFS namespace. The NameNode is provided as a query parameter that is not validated in Apache Hadoop before 2.7.0.

7.5CVSS7AI score0.01018EPSS

CVE•added 2020/09/30 6:15 p.m.•86 views

CVE-2018-11765

In Apache Hadoop versions 3.0.0-alpha2 to 3.0.0, 2.9.0 to 2.9.2, 2.8.0 to 2.8.5, any users can access some servlets without authentication when Kerberos authentication is enabled and SPNEGO through HTTP is not enabled.

7.5CVSS7.6AI score0.01147EPSS

CVE•added 2017/11/13 2:29 p.m.•85 views

CVE-2017-3166

In Apache Hadoop versions 2.6.1 to 2.6.5, 2.7.0 to 2.7.3, and 3.0.0-alpha1, if a file in an encryption zone with access permissions that make it world readable is localized via YARN's localization mechanism, that file will be stored in a world-readable location and can be shared freely with any app...

7.8CVSS7.4AI score0.00214EPSS

CVE•added 2023/11/16 9:15 a.m.•84 views

CVE-2023-26031

Relative library resolution in linux container-executor binary in Apache Hadoop 3.3.1-3.3.4 on Linux allows local user to gain root privileges. If the YARN cluster is accepting work from remote (authenticated) users, this MAY permit remote users to gain root privileges. Hadoop 3.3.0 updated the " Y...

7.5CVSS7.7AI score0.12692EPSS

CVE•added 2019/02/07 10:29 p.m.•82 views

CVE-2018-1296

In Apache Hadoop 3.0.0-alpha1 to 3.0.0, 2.9.0, 2.8.0 to 2.8.3, and 2.5.0 to 2.7.5, HDFS exposes extended attribute key/value pairs during listXAttrs, verifying only path-level search access to the directory rather than path-level read permission to the referent.

7.5CVSS7.3AI score0.00574EPSS

CVE•added 2019/03/21 4:0 p.m.•78 views

CVE-2018-11767

In Apache Hadoop 2.9.0 to 2.9.1, 2.8.3 to 2.8.4, 2.7.5 to 2.7.6, KMS blocking users or granting access to users incorrectly, if the system uses non-default groups mapping mechanisms.

7.4CVSS7.3AI score0.022EPSS

CVE•added 2019/10/29 7:15 p.m.•61 views

CVE-2012-2945

Hadoop 1.0.3 contains a symlink vulnerability.

7.5CVSS7.5AI score0.01713EPSS

CVE•added 2012/07/12 7:55 p.m.•50 views

CVE-2012-3376

DataNodes in Apache Hadoop 2.0.0 alpha does not check the BlockTokens of clients when Kerberos is enabled and the DataNode has checked out the same BlockPool twice from a NodeName, which might allow remote clients to read arbitrary blocks, write to blocks to which they only have read access, and ha...

7.5CVSS6.7AI score0.01302EPSS