VYPR

Maven package

org.apache.hadoop/hadoop-client

pkg:maven/org.apache.hadoop/hadoop-client

Vulnerabilities (5)

  • CVE-2012-4449CriOct 30, 2017
    affected < 0.23.4fixed 0.23.4

    Apache Hadoop before 0.23.4, 1.x before 1.0.4, and 2.x before 2.0.2 generate token passwords using a 20-bit secret when Kerberos security features are enabled, which makes it easier for context-dependent attackers to crack secret keys via a brute-force attack.

  • CVE-2017-3162HigApr 26, 2017
    affected < 2.7.0fixed 2.7.0

    HDFS clients interact with a servlet on the DataNode to browse the HDFS namespace. The NameNode is provided as a query parameter that is not validated in Apache Hadoop before 2.7.0.

  • CVE-2017-3161MedApr 26, 2017
    affected < 2.7.0fixed 2.7.0

    The HDFS web UI in Apache Hadoop before 2.7.0 is vulnerable to a cross-site scripting (XSS) attack through an unescaped query parameter.

  • CVE-2014-3627Dec 5, 2014
    affected >= 0.23.0, < 1.0.1fixed 1.0.1

    The YARN NodeManager daemon in Apache Hadoop 0.23.0 through 0.23.11 and 2.x before 2.5.2, when using Kerberos authentication, allows remote cluster users to change the permissions of certain files to world-readable via a symlink attack in a public tar archive, which is not proper

  • CVE-2012-3376Jul 12, 2012
    affected >= 2.0.0-alpha, < 2.0.1-alphafixed 2.0.1-alpha

    DataNodes in Apache Hadoop 2.0.0 alpha does not check the BlockTokens of clients when Kerberos is enabled and the DataNode has checked out the same BlockPool twice from a NodeName, which might allow remote clients to read arbitrary blocks, write to blocks to which they only have