High severity8.8NVD Advisory· Published Nov 29, 2016· Updated May 6, 2026

CVE-2016-5393

Description

In Apache Hadoop 2.6.x before 2.6.5 and 2.7.x before 2.7.3, a remote user who can authenticate with the HDFS NameNode can possibly run arbitrary commands with the same privileges as the HDFS service.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.apache.hadoop:hadoop-commonMaven	>= 2.6.0, < 2.6.5	2.6.5
org.apache.hadoop:hadoop-commonMaven	>= 2.7.0, < 2.7.3	2.7.3

Affected products

Apache/Hadoop8 versions
cpe:2.3:a:apache:hadoop:2.6.0:*:*:*:*:*:*:*+ 7 more
- cpe:2.3:a:apache:hadoop:2.6.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:hadoop:2.6.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:hadoop:2.6.2:*:*:*:*:*:*:*
- cpe:2.3:a:apache:hadoop:2.6.3:*:*:*:*:*:*:*
- cpe:2.3:a:apache:hadoop:2.6.4:*:*:*:*:*:*:*
- cpe:2.3:a:apache:hadoop:2.7.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:hadoop:2.7.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:hadoop:2.7.2:*:*:*:*:*:*:*

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

mail-archives.apache.org/mod_mbox/hadoop-general/201611.mbox/%3CCAA0W1bTbUmUUSF1rjRpX-2DvWutcrPt7TJSWUcSLg1F0gyHG1Q%40mail.gmail.com%3EnvdMailing ListVendor AdvisoryWEB
www.securityfocus.com/bid/94574nvdThird Party AdvisoryVDB EntryWEB
github.com/advisories/GHSA-7q56-mp4c-ggggghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2016-5393ghsaADVISORY

News mentions

No linked articles in our index yet.

cvss	0.572
epss	0.002
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000