Hadoop Security Vulnerabilities and Issues — Hadoop CVE List

Lucene search

ApacheHadoop

12 matches found

CVE•added 2022/08/04 3:15 p.m.•747 views

CVE-2022-25168

Apache Hadoop's FileUtil.unTar(File, File) API does not escape the input file name before being passed to the shell. An attacker can inject arbitrary commands. This is only used in Hadoop 3.3 InMemoryAliasMap.completeBootstrapTransfer, which is only ever run by a local user. It has been used in Had...

9.8CVSS9.9AI score0.02753EPSS

CVE•added 2019/10/15 2:15 p.m.•277 views

CVE-2019-17195

Connect2id Nimbus JOSE+JWT before v7.9 can throw various uncaught exceptions while parsing a JWT, which could result in an application crash (potential information disclosure) or a potential authentication bypass.

9.8CVSS9.2AI score0.1232EPSS

CVE•added 2022/04/07 7:15 p.m.•202 views

CVE-2022-26612

In Apache Hadoop, The unTar function uses unTarUsingJava function on Windows and the built-in tar utility on Unix and other OSes. As a result, a TAR entry may create a symlink under the expected extraction directory which points to an external directory. A subsequent TAR entry may extract an arbitr...

9.8CVSS9.2AI score0.0015EPSS

CVE•added 2019/05/30 4:29 p.m.•127 views

CVE-2018-8029

In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.8.4, a user who can escalate to yarn user can possibly run arbitrary commands as root user.

9CVSS8.8AI score0.01759EPSS

CVE•added 2022/06/13 7:15 a.m.•126 views

CVE-2021-37404

There is a potential heap buffer overflow in Apache Hadoop libhdfs native code. Opening a file path provided by user without validation may result in a denial of service or arbitrary code execution. Users should upgrade to Apache Hadoop 2.10.2, 3.2.3, 3.3.2 or higher.

9.8CVSS9.8AI score0.00534EPSS

CVE•added 2022/06/15 3:15 p.m.•109 views

CVE-2021-33036

In Apache Hadoop 2.2.0 to 2.10.1, 3.0.0-alpha1 to 3.1.4, 3.2.0 to 3.2.2, and 3.3.0 to 3.3.1, a user who can escalate to yarn user can possibly run arbitrary commands as root user. Users should upgrade to Apache Hadoop 2.10.2, 3.2.3, 3.3.2 or higher.

9CVSS9AI score0.01253EPSS

CVE•added 2018/01/24 2:29 p.m.•93 views

CVE-2017-15718

The YARN NodeManager in Apache Hadoop 2.7.3 and 2.7.4 can leak the password for credential store provider used by the NodeManager to YARN Applications.

9.8CVSS9AI score0.0104EPSS

CVE•added 2017/04/11 2:59 p.m.•89 views

CVE-2016-6811

In Apache Hadoop 2.x before 2.7.4, a user who can escalate to yarn user can possibly run arbitrary commands as root user.

9CVSS8.7AI score0.00538EPSS

CVE•added 2018/11/27 2:29 p.m.•78 views

CVE-2018-11766

In Apache Hadoop 2.7.4 to 2.7.6, the security fix for CVE-2016-6811 is incomplete. A user who can escalate to yarn user can possibly run arbitrary commands as root user.

9CVSS8.8AI score0.00712EPSS

CVE•added 2017/09/05 1:29 p.m.•77 views

CVE-2016-3086

The YARN NodeManager in Apache Hadoop 2.6.x before 2.6.5 and 2.7.x before 2.7.3 can leak the password for credential store provider used by the NodeManager to YARN Applications.

9.8CVSS9.3AI score0.00428EPSS

CVE•added 2017/10/30 7:29 p.m.•73 views

CVE-2012-4449

Apache Hadoop before 0.23.4, 1.x before 1.0.4, and 2.x before 2.0.2 generate token passwords using a 20-bit secret when Kerberos security features are enabled, which makes it easier for context-dependent attackers to crack secret keys via a brute-force attack.

9.8CVSS9.3AI score0.00477EPSS

CVE•added 2020/10/21 7:15 p.m.•70 views

CVE-2018-11764

Web endpoint authentication check is broken in Apache Hadoop 3.0.0-alpha4, 3.0.0-beta1, and 3.0.0. Authenticated users may impersonate any user even if no proxy user is configured.

9CVSS8.7AI score0.00185EPSS