CVE-2018-1296
Description
In Apache Hadoop 3.0.0-alpha1 to 3.0.0, 2.9.0, 2.8.0 to 2.8.3, and 2.5.0 to 2.7.5, HDFS exposes extended attribute key/value pairs during listXAttrs, verifying only path-level search access to the directory rather than path-level read permission to the referent.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
HDFS listXAttrs exposes extended attribute key/value pairs without verifying read permission on the file or directory.
Vulnerability
In Apache Hadoop 3.0.0-alpha1 to 3.0.0, 2.9.0, 2.8.0 to 2.8.3, and 2.5.0 to 2.7.5, the HDFS listXAttrs operation only verifies path-level search access to the directory, instead of path-level read permission on the referent file or directory [1][2]. This allows unauthorized retrieval of extended attribute key/value pairs for any entity in the filesystem.
Exploitation
An authenticated attacker who has search (execute) permission on a parent directory, but lacks read permission on a specific file or directory within it, can still call listXAttrs on that referent to enumerate its extended attribute names and values [2]. No additional privileges or race conditions are required; the attacker only needs network access to an HDFS NameNode or gateway that exposes the listXAttrs RPC.
Impact
Successful exploitation results in unauthorized disclosure of sensitive data stored in HDFS extended attributes, leading to a breach of confidentiality [1][2]. The attacker does not gain write access or code execution; the impact is limited to information exposure.
Mitigation
The vulnerability is fixed in Hadoop 2.7.6, 2.8.4, and 2.9.1 [2]. Users should upgrade to one of these patched versions. There is no workaround available for unpatched releases, and affected versions remain at risk until updated.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.hadoop:hadoop-mainMaven | < 2.7.6 | 2.7.6 |
org.apache.hadoop:hadoop-mainMaven | >= 2.8.0, < 2.8.4 | 2.8.4 |
org.apache.hadoop:hadoop-mainMaven | >= 2.9.0, < 2.9.1 | 2.9.1 |
Affected products
2- Apache Software Foundation/Apache Hadoopv5Range: Apache Hadoop 3.0.0-alpha1 to 3.0.0, 2.9.0, 2.8.0 to 2.8.3, 2.5.0 to 2.7.5
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-v569-g72v-q434ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-1296ghsaADVISORY
- www.securityfocus.com/bid/106764ghsavdb-entryx_refsource_BIDWEB
- lists.apache.org/thread.html/a5b15bc76fbdad2ee40761aacf954a13aeef67e305f86d483f267e8e%40%3Cuser.hadoop.apache.org%3Emitrex_refsource_MISC
- lists.apache.org/thread.html/a5b15bc76fbdad2ee40761aacf954a13aeef67e305f86d483f267e8e@%3Cuser.hadoop.apache.org%3EghsaWEB
News mentions
0No linked articles in our index yet.