CVE-2017-15713
Description
Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and 3.0.0-alpha through 3.0.0-beta1 allows a cluster user to expose private files owned by the user running the MapReduce job history server process. The malicious user can construct a configuration file containing XML directives that reference sensitive files on the MapReduce job history server host.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache Hadoop MapReduce job history server XML external entity (XXE) vulnerability allows cluster users to access private files on the server host.
Vulnerability
CVE-2017-15713 is an XXE (XML External Entity) vulnerability in the Apache Hadoop MapReduce job history server. It affects Hadoop versions 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and 3.0.0-alpha through 3.0.0-beta1 [1]. A cluster user with the ability to submit MapReduce jobs can craft a malicious configuration file containing XML directives that reference sensitive files on the job history server host. The configuration is processed by the job history server, allowing the attacker to read arbitrary files owned by the user running that process [1].
Exploitation
An attacker must be an authenticated cluster user with permission to submit MapReduce jobs [1]. The attacker constructs a job configuration file that includes XML external entity (XXE) declarations targeting specific files on the server (e.g., /etc/passwd). When the job history server parses this configuration, the XXE payload is processed, and the contents of the targeted file are exposed in the job history logs or output [1]. No additional privileges or user interaction beyond submitting the job are required.
Impact
Successful exploitation leads to unauthorized disclosure of private files owned by the MapReduce job history server process user [1]. This can expose sensitive data such as credentials, private keys, or system configuration files. The confidentiality of the affected system is compromised; the integrity and availability of the system are not directly affected [1].
Mitigation
Mitigation requires upgrading to a fixed version of Apache Hadoop: 2.7.5, 2.8.3, or later [2]. For versions 3.x, no final patch was released as the 3.0.x series remained in beta; users should upgrade to the stable 2.x release lines. As of the publication date (2018-01-19), no workaround has been documented for unpatched versions [1][2]. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.hadoop:hadoop-mainMaven | < 2.7.5 | 2.7.5 |
org.apache.hadoop:hadoop-mainMaven | >= 2.8.0, < 2.8.3 | 2.8.3 |
Affected products
2- Apache Software Foundation/Apache Hadoopv5Range: 0.23.0 to 0.23.11
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-3v44-382q-55f4ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2017-15713ghsaADVISORY
- lists.apache.org/thread.html/a790a251ace7213bde9f69777dedb453b1a01a6d18289c14a61d4f91%40%3Cgeneral.hadoop.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/a790a251ace7213bde9f69777dedb453b1a01a6d18289c14a61d4f91@%3Cgeneral.hadoop.apache.org%3EghsaWEB
News mentions
0No linked articles in our index yet.