Maven package
org.apache.hadoop/hadoop-client
pkg:maven/org.apache.hadoop/hadoop-client
Vulnerabilities (5)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2012-4449 | Cri | 9.8 | < 0.23.4 | 0.23.4 | Oct 30, 2017 | Apache Hadoop before 0.23.4, 1.x before 1.0.4, and 2.x before 2.0.2 generate token passwords using a 20-bit secret when Kerberos security features are enabled, which makes it easier for context-dependent attackers to crack secret keys via a brute-force attack. | |
| CVE-2017-3162 | Hig | 7.3 | < 2.7.0 | 2.7.0 | Apr 26, 2017 | HDFS clients interact with a servlet on the DataNode to browse the HDFS namespace. The NameNode is provided as a query parameter that is not validated in Apache Hadoop before 2.7.0. | |
| CVE-2017-3161 | Med | 6.1 | < 2.7.0 | 2.7.0 | Apr 26, 2017 | The HDFS web UI in Apache Hadoop before 2.7.0 is vulnerable to a cross-site scripting (XSS) attack through an unescaped query parameter. | |
| CVE-2014-3627 | — | >= 0.23.0, < 1.0.1 | 1.0.1 | Dec 5, 2014 | The YARN NodeManager daemon in Apache Hadoop 0.23.0 through 0.23.11 and 2.x before 2.5.2, when using Kerberos authentication, allows remote cluster users to change the permissions of certain files to world-readable via a symlink attack in a public tar archive, which is not proper | ||
| CVE-2012-3376 | — | >= 2.0.0-alpha, < 2.0.1-alpha | 2.0.1-alpha | Jul 12, 2012 | DataNodes in Apache Hadoop 2.0.0 alpha does not check the BlockTokens of clients when Kerberos is enabled and the DataNode has checked out the same BlockPool twice from a NodeName, which might allow remote clients to read arbitrary blocks, write to blocks to which they only have |
- affected < 0.23.4fixed 0.23.4
Apache Hadoop before 0.23.4, 1.x before 1.0.4, and 2.x before 2.0.2 generate token passwords using a 20-bit secret when Kerberos security features are enabled, which makes it easier for context-dependent attackers to crack secret keys via a brute-force attack.
- affected < 2.7.0fixed 2.7.0
HDFS clients interact with a servlet on the DataNode to browse the HDFS namespace. The NameNode is provided as a query parameter that is not validated in Apache Hadoop before 2.7.0.
- affected < 2.7.0fixed 2.7.0
The HDFS web UI in Apache Hadoop before 2.7.0 is vulnerable to a cross-site scripting (XSS) attack through an unescaped query parameter.
- CVE-2014-3627Dec 5, 2014affected >= 0.23.0, < 1.0.1fixed 1.0.1
The YARN NodeManager daemon in Apache Hadoop 0.23.0 through 0.23.11 and 2.x before 2.5.2, when using Kerberos authentication, allows remote cluster users to change the permissions of certain files to world-readable via a symlink attack in a public tar archive, which is not proper
- CVE-2012-3376Jul 12, 2012affected >= 2.0.0-alpha, < 2.0.1-alphafixed 2.0.1-alpha
DataNodes in Apache Hadoop 2.0.0 alpha does not check the BlockTokens of clients when Kerberos is enabled and the DataNode has checked out the same BlockPool twice from a NodeName, which might allow remote clients to read arbitrary blocks, write to blocks to which they only have