ALT-PU-2017-3659-1

CVE-2014-3627

MEDIUM5.0

The YARN NodeManager daemon in Apache Hadoop 0.23.0 through 0.23.11 and 2.x before 2.5.2, when using Kerberos authentication, allows remote cluster users to change the permissions of certain files to world-readable via a symlink attack in a public tar archive, which is not properly handled during localization, related to distributed cache.

Published: 2014-12-05Modified: 2025-04-12

CVSS 2.0MEDIUM 5.0

CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N

References

CVE-2016-5001

MEDIUM5.5

This is an information disclosure vulnerability in Apache Hadoop before 2.6.4 and 2.7.x before 2.7.2 in the short-circuit reads feature of HDFS. A local user on an HDFS DataNode may be able to craft a block token that grants unauthorized read access to random files by guessing certain fields in the token.

Published: 2017-08-30Modified: 2025-04-20

CVSS 2.0LOW 2.1

CVSS:2.0/AV:L/AC:L/Au:N/C:P/I:N/A:N

CVSS 3.xMEDIUM 5.5

CVSS:3.x/CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References

CVE-2017-3161

MEDIUM6.1

The HDFS web UI in Apache Hadoop before 2.7.0 is vulnerable to a cross-site scripting (XSS) attack through an unescaped query parameter.

Published: 2017-04-26Modified: 2025-04-20

CVSS 2.0MEDIUM 4.3

CVSS:2.0/AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS 3.xMEDIUM 6.1

CVSS:3.x/CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References

CVE-2017-3162

HIGH7.3

HDFS clients interact with a servlet on the DataNode to browse the HDFS namespace. The NameNode is provided as a query parameter that is not validated in Apache Hadoop before 2.7.0.

Published: 2017-04-26Modified: 2025-04-20

CVSS 2.0HIGH 7.5

CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS 3.xHIGH 7.3

CVSS:3.x/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

References

GHSA-8r28-r8cp-g6cp

MEDIUM5.5

Exposure of Sensitive Information to an Unauthorized Actor in Apache Hadoop

Published: 2022-05-13Modified: 2022-07-06

CVSS 3.xMEDIUM 5.5

CVSS:3.x/CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References

GHSA-jpmf-8cj2-595g

NONE

Improper Link Resolution Before File Access in Apache Hadoop

Published: 2022-05-17Modified: 2022-07-08

References

GHSA-pr9x-qmp5-j3rr

HIGH7.3

Improper Input Validation in Apache Hadoop

Published: 2022-05-13Modified: 2022-07-01

CVSS 3.xHIGH 7.3

CVSS:3.x/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

References

GHSA-qm7f-r83w-3p46

MEDIUM6.1

Improper Neutralization of Input During Web Page Generation in Apache Hadoop

Published: 2022-05-13Modified: 2022-07-01

CVSS 3.xMEDIUM 6.1

CVSS:3.x/CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References

Package update hadoop in branch sisyphus

Closed issues (8)

The HDFS web UI in Apache Hadoop before 2.7.0 is vulnerable to a cross-site scripting (XSS) attack through an unescaped query parameter.

HDFS clients interact with a servlet on the DataNode to browse the HDFS namespace. The NameNode is provided as a query parameter that is not validated in Apache Hadoop before 2.7.0.

Exposure of Sensitive Information to an Unauthorized Actor in Apache Hadoop

Improper Link Resolution Before File Access in Apache Hadoop

Improper Input Validation in Apache Hadoop

Improper Neutralization of Input During Web Page Generation in Apache Hadoop