Medium severity5.5NVD Advisory· Published Aug 30, 2017· Updated May 13, 2026

CVE-2016-5001

Description

This is an information disclosure vulnerability in Apache Hadoop before 2.6.4 and 2.7.x before 2.7.2 in the short-circuit reads feature of HDFS. A local user on an HDFS DataNode may be able to craft a block token that grants unauthorized read access to random files by guessing certain fields in the token.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.apache.hadoop:hadoop-commonMaven	< 2.6.4	2.6.4
org.apache.hadoop:hadoop-commonMaven	>= 2.7.0, < 2.7.2	2.7.2

Affected products

Apache/Hadoop3 versions
cpe:2.3:a:apache:hadoop:*:*:*:*:*:*:*:*+ 2 more
- cpe:2.3:a:apache:hadoop:*:*:*:*:*:*:*:*range: <=2.6.3
- cpe:2.3:a:apache:hadoop:2.7.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:hadoop:2.7.1:*:*:*:*:*:*:*
Apache Software Foundation/Apache Hadoopv5
Range: 2.1.0 to 2.6.3

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

seclists.org/oss-sec/2016/q4/698nvdMailing ListThird Party AdvisoryWEB
www.securityfocus.com/bid/94950nvdThird Party AdvisoryVDB Entry
github.com/advisories/GHSA-8r28-r8cp-g6cpghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2016-5001ghsaADVISORY
lists.apache.org/thread.html/r66de86b9a608c1da70b2d27d765c11ec88edf6e5dd6f379ab33e072a@%3Cuser.flink.apache.org%3EghsaWEB
lists.apache.org/thread.html/r66de86b9a608c1da70b2d27d765c11ec88edf6e5dd6f379ab33e072a%40%3Cuser.flink.apache.org%3Envd

News mentions

No linked articles in our index yet.

cvss	0.358
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000