ALT-PU-2017-3659-1

CVE-2014-3627

MEDIUM5.0

The YARN NodeManager daemon in Apache Hadoop 0.23.0 through 0.23.11 and 2.x before 2.5.2, when using Kerberos authentication, allows remote cluster users to change the permissions of certain files to world-readable via a symlink attack in a public tar archive, which is not properly handled during localization, related to distributed cache.

Опубликовано: 2014-12-05Изменено: 2025-04-12

CVSS 2.0СРЕДНЯЯ 5.0

CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N

Ссылки

CVE-2016-5001

MEDIUM5.5

This is an information disclosure vulnerability in Apache Hadoop before 2.6.4 and 2.7.x before 2.7.2 in the short-circuit reads feature of HDFS. A local user on an HDFS DataNode may be able to craft a block token that grants unauthorized read access to random files by guessing certain fields in the token.

Опубликовано: 2017-08-30Изменено: 2025-04-20

CVSS 2.0НИЗКАЯ 2.1

CVSS:2.0/AV:L/AC:L/Au:N/C:P/I:N/A:N

CVSS 3.xСРЕДНЯЯ 5.5

CVSS:3.x/CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Ссылки

CVE-2017-3161

MEDIUM6.1

The HDFS web UI in Apache Hadoop before 2.7.0 is vulnerable to a cross-site scripting (XSS) attack through an unescaped query parameter.

Опубликовано: 2017-04-26Изменено: 2025-04-20

CVSS 2.0СРЕДНЯЯ 4.3

CVSS:2.0/AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS 3.xСРЕДНЯЯ 6.1

CVSS:3.x/CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Ссылки

CVE-2017-3162

HIGH7.3

HDFS clients interact with a servlet on the DataNode to browse the HDFS namespace. The NameNode is provided as a query parameter that is not validated in Apache Hadoop before 2.7.0.

Опубликовано: 2017-04-26Изменено: 2025-04-20

CVSS 2.0ВЫСОКАЯ 7.5

CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS 3.xВЫСОКАЯ 7.3

CVSS:3.x/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Ссылки

GHSA-8r28-r8cp-g6cp

MEDIUM5.5

Exposure of Sensitive Information to an Unauthorized Actor in Apache Hadoop

Опубликовано: 2022-05-13Изменено: 2022-07-06

CVSS 3.xСРЕДНЯЯ 5.5

CVSS:3.x/CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Ссылки

GHSA-jpmf-8cj2-595g

NONE

Improper Link Resolution Before File Access in Apache Hadoop

Опубликовано: 2022-05-17Изменено: 2022-07-08

Ссылки

GHSA-pr9x-qmp5-j3rr

HIGH7.3

Improper Input Validation in Apache Hadoop

Опубликовано: 2022-05-13Изменено: 2022-07-01

CVSS 3.xВЫСОКАЯ 7.3

CVSS:3.x/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Ссылки

GHSA-qm7f-r83w-3p46

MEDIUM6.1

Improper Neutralization of Input During Web Page Generation in Apache Hadoop

Опубликовано: 2022-05-13Изменено: 2022-07-01

CVSS 3.xСРЕДНЯЯ 6.1

CVSS:3.x/CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Ссылки

Обновление пакета hadoop в ветке sisyphus

Закрытые проблемы (8)

The HDFS web UI in Apache Hadoop before 2.7.0 is vulnerable to a cross-site scripting (XSS) attack through an unescaped query parameter.

HDFS clients interact with a servlet on the DataNode to browse the HDFS namespace. The NameNode is provided as a query parameter that is not validated in Apache Hadoop before 2.7.0.

Exposure of Sensitive Information to an Unauthorized Actor in Apache Hadoop

Improper Link Resolution Before File Access in Apache Hadoop

Improper Input Validation in Apache Hadoop

Improper Neutralization of Input During Web Page Generation in Apache Hadoop