Hadoop Security Vulnerabilities and Issues — Hadoop CVE List

Lucene search

ApacheHadoop

9 matches found

CVE•added 2017/04/26 8:59 p.m.•92 views

CVE-2017-3162

HDFS clients interact with a servlet on the DataNode to browse the HDFS namespace. The NameNode is provided as a query parameter that is not validated in Apache Hadoop before 2.7.0.

7.5CVSS7AI score0.00875EPSS

CVE•added 2017/04/11 2:59 p.m.•90 views

CVE-2016-6811

In Apache Hadoop 2.x before 2.7.4, a user who can escalate to yarn user can possibly run arbitrary commands as root user.

9CVSS8.7AI score0.00538EPSS

CVE•added 2017/11/13 2:29 p.m.•85 views

CVE-2017-3166

In Apache Hadoop versions 2.6.1 to 2.6.5, 2.7.0 to 2.7.3, and 3.0.0-alpha1, if a file in an encryption zone with access permissions that make it world readable is localized via YARN's localization mechanism, that file will be stored in a world-readable location and can be shared freely with any app...

7.8CVSS7.4AI score0.00214EPSS

CVE•added 2017/09/05 1:29 p.m.•77 views

CVE-2016-3086

The YARN NodeManager in Apache Hadoop 2.6.x before 2.6.5 and 2.7.x before 2.7.3 can leak the password for credential store provider used by the NodeManager to YARN Applications.

9.8CVSS9.3AI score0.00428EPSS

CVE•added 2017/04/26 8:59 p.m.•75 views

CVE-2017-3161

The HDFS web UI in Apache Hadoop before 2.7.0 is vulnerable to a cross-site scripting (XSS) attack through an unescaped query parameter.

6.1CVSS5.9AI score0.02473EPSS

CVE•added 2017/10/30 7:29 p.m.•73 views

CVE-2012-4449

Apache Hadoop before 0.23.4, 1.x before 1.0.4, and 2.x before 2.0.2 generate token passwords using a 20-bit secret when Kerberos security features are enabled, which makes it easier for context-dependent attackers to crack secret keys via a brute-force attack.

9.8CVSS9.3AI score0.00403EPSS

CVE•added 2017/08/30 7:29 p.m.•71 views

CVE-2016-5001

This is an information disclosure vulnerability in Apache Hadoop before 2.6.4 and 2.7.x before 2.7.2 in the short-circuit reads feature of HDFS. A local user on an HDFS DataNode may be able to craft a block token that grants unauthorized read access to random files by guessing certain fields in the...

5.5CVSS5AI score0.00135EPSS

CVE•added 2017/06/05 1:29 a.m.•63 views

CVE-2017-7669

In Apache Hadoop 2.8.0, 3.0.0-alpha1, and 3.0.0-alpha2, the LinuxContainerExecutor runs docker commands as root with insufficient input validation. When the docker feature is enabled, authenticated users can run commands as root.

8.5CVSS7.5AI score0.00298EPSS

CVE•added 2017/03/23 8:59 p.m.•54 views

CVE-2014-0229

Apache Hadoop 0.23.x before 0.23.11 and 2.x before 2.4.1, as used in Cloudera CDH 5.0.x before 5.0.2, do not check authorization for the (1) refreshNamenodes, (2) deleteBlockPool, and (3) shutdownDatanode HDFS admin commands, which allows remote authenticated users to cause a denial of service (Dat...

6.5CVSS6.4AI score0.0037EPSS