CVE-2018-11767
Description
In Apache Hadoop 2.9.0 to 2.9.1, 2.8.3 to 2.8.4, 2.7.5 to 2.7.6, KMS blocking users or granting access to users incorrectly, if the system uses non-default groups mapping mechanisms.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache Hadoop KMS mis-handles non-default group mappings, allowing incorrect user blocking or access granting.
Vulnerability
The vulnerability affects Apache Hadoop KMS in versions 2.7.5 to 2.7.6, 2.8.3 to 2.8.4, and 2.9.0 to 2.9.1 [1][2]. When using non-default groups mapping mechanisms, the KMS may incorrectly block users or grant access to unauthorized users [1].
Exploitation
An attacker who can trigger the non-default group mapping mechanism (e.g., through LDAP or other custom mappings) may cause the KMS to mis-evaluate access control decisions. No specific exploitation steps are detailed in the references.
Impact
Successful exploitation could result in improper access control, potentially allowing unauthorized users to access KMS resources or denying legitimate users access [1]. This could lead to information disclosure or denial of service.
Mitigation
Upgrade to fixed versions: 2.7.7, 2.8.5, or 2.9.2 [2]. If upgrade is not immediately possible, review group mapping configurations and ensure proper access control policies are in place.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.hadoop:hadoop-mainMaven | >= 2.7.5, < 2.7.7 | 2.7.7 |
org.apache.hadoop:hadoop-mainMaven | >= 2.8.3, < 2.8.5 | 2.8.5 |
org.apache.hadoop:hadoop-mainMaven | >= 2.9.0, < 2.9.2 | 2.9.2 |
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
12- github.com/advisories/GHSA-5cf4-jqwp-584gghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-11767ghsaADVISORY
- lists.apache.org/thread.html/246cf223e7dc0c1dff90b78dccb6c3fe94e1a044dbf98e2333393302%40%3Ccommon-issues.hadoop.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/246cf223e7dc0c1dff90b78dccb6c3fe94e1a044dbf98e2333393302@%3Ccommon-issues.hadoop.apache.org%3EghsaWEB
- lists.apache.org/thread.html/5a44590b4eedc5e25f5bd3081d1631b52c174b5b99157f7950ddc270%40%3Ccommon-dev.hadoop.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/5a44590b4eedc5e25f5bd3081d1631b52c174b5b99157f7950ddc270@%3Ccommon-dev.hadoop.apache.org%3EghsaWEB
- lists.apache.org/thread.html/5fb771f66946dd5c99a8a5713347c24873846f555d716f9ac17bccca%40%3Cgeneral.hadoop.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/5fb771f66946dd5c99a8a5713347c24873846f555d716f9ac17bccca@%3Cgeneral.hadoop.apache.org%3EghsaWEB
- lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe%40%3Ccommits.druid.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe@%3Ccommits.druid.apache.org%3EghsaWEB
- security.netapp.com/advisory/ntap-20190416-0009ghsaWEB
- security.netapp.com/advisory/ntap-20190416-0009/mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.