Maven package
org.apache.hadoop/hadoop-common
pkg:maven/org.apache.hadoop/hadoop-common
Vulnerabilities (12)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2024-23454 | — | < 3.4.0 | 3.4.0 | Sep 25, 2024 | Apache Hadoop’s RunJar.run() does not set permissions for temporary directory by default. If sensitive data will be present in this file, all the other local users may be able to view the content. This is because, on unix-like systems, the system temporary directory is shared bet | ||
| CVE-2022-25168 | — | >= 2.0.0, < 2.10.2 | 2.10.2 | Aug 4, 2022 | Apache Hadoop's FileUtil.unTar(File, File) API does not escape the input file name before being passed to the shell. An attacker can inject arbitrary commands. This is only used in Hadoop 3.3 InMemoryAliasMap.completeBootstrapTransfer, which is only ever run by a local user. It h | ||
| CVE-2021-37404 | — | >= 3.3.0, < 3.3.2 | 3.3.2 | Jun 13, 2022 | There is a potential heap buffer overflow in Apache Hadoop libhdfs native code. Opening a file path provided by user without validation may result in a denial of service or arbitrary code execution. Users should upgrade to Apache Hadoop 2.10.2, 3.2.3, 3.3.2 or higher. | ||
| CVE-2022-26612 | — | >= 3.2.0, < 3.2.3 | 3.2.3 | Apr 7, 2022 | In Apache Hadoop, The unTar function uses unTarUsingJava function on Windows and the built-in tar utility on Unix and other OSes. As a result, a TAR entry may create a symlink under the expected extraction directory which points to an external directory. A subsequent TAR entry ma | ||
| CVE-2020-9492 | — | >= 3.2.0, < 3.2.2 | 3.2.2 | Jan 26, 2021 | In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.0, WebHDFS client might send SPNEGO authorization header to remote URL without proper verification. | ||
| CVE-2016-5001 | Med | 5.5 | < 2.6.4 | 2.6.4 | Aug 30, 2017 | This is an information disclosure vulnerability in Apache Hadoop before 2.6.4 and 2.7.x before 2.7.2 in the short-circuit reads feature of HDFS. A local user on an HDFS DataNode may be able to craft a block token that grants unauthorized read access to random files by guessing ce | |
| CVE-2017-7669 | Hig | 7.5 | < 2.8.1 | 2.8.1 | Jun 5, 2017 | In Apache Hadoop 2.8.0, 3.0.0-alpha1, and 3.0.0-alpha2, the LinuxContainerExecutor runs docker commands as root with insufficient input validation. When the docker feature is enabled, authenticated users can run commands as root. | |
| CVE-2016-6811 | Hig | 8.8 | >= 2.0.0-alpha, < 2.7.4 | 2.7.4 | Apr 11, 2017 | In Apache Hadoop 2.x before 2.7.4, a user who can escalate to yarn user can possibly run arbitrary commands as root user. | |
| CVE-2014-0229 | Med | 6.5 | >= 0.23.0, < 0.23.11 | 0.23.11 | Mar 23, 2017 | Apache Hadoop 0.23.x before 0.23.11 and 2.x before 2.4.1, as used in Cloudera CDH 5.0.x before 5.0.2, do not check authorization for the (1) refreshNamenodes, (2) deleteBlockPool, and (3) shutdownDatanode HDFS admin commands, which allows remote authenticated users to cause a den | |
| CVE-2016-5393 | Hig | 8.8 | >= 2.6.0, < 2.6.5 | 2.6.5 | Nov 29, 2016 | In Apache Hadoop 2.6.x before 2.6.5 and 2.7.x before 2.7.3, a remote user who can authenticate with the HDFS NameNode can possibly run arbitrary commands with the same privileges as the HDFS service. | |
| CVE-2015-1776 | Med | 6.2 | >= 2.6.0, < 2.6.5 | 2.6.5 | Apr 19, 2016 | Apache Hadoop 2.6.x encrypts intermediate data generated by a MapReduce job and stores it along with the encryption key in a credentials file on disk when the Intermediate data encryption feature is enabled, which allows local users to obtain sensitive information by reading the | |
| CVE-2013-2192 | — | >= 2.0.0, < 2.0.6-alpha | 2.0.6-alpha | Jan 24, 2014 | The RPC protocol implementation in Apache Hadoop 2.x before 2.0.6-alpha, 0.23.x before 0.23.9, and 1.x before 1.2.1, when the Kerberos security features are enabled, allows man-in-the-middle attackers to disable bidirectional authentication and obtain sensitive information by for |
- CVE-2024-23454Sep 25, 2024affected < 3.4.0fixed 3.4.0
Apache Hadoop’s RunJar.run() does not set permissions for temporary directory by default. If sensitive data will be present in this file, all the other local users may be able to view the content. This is because, on unix-like systems, the system temporary directory is shared bet
- CVE-2022-25168Aug 4, 2022affected >= 2.0.0, < 2.10.2fixed 2.10.2
Apache Hadoop's FileUtil.unTar(File, File) API does not escape the input file name before being passed to the shell. An attacker can inject arbitrary commands. This is only used in Hadoop 3.3 InMemoryAliasMap.completeBootstrapTransfer, which is only ever run by a local user. It h
- CVE-2021-37404Jun 13, 2022affected >= 3.3.0, < 3.3.2fixed 3.3.2
There is a potential heap buffer overflow in Apache Hadoop libhdfs native code. Opening a file path provided by user without validation may result in a denial of service or arbitrary code execution. Users should upgrade to Apache Hadoop 2.10.2, 3.2.3, 3.3.2 or higher.
- CVE-2022-26612Apr 7, 2022affected >= 3.2.0, < 3.2.3fixed 3.2.3
In Apache Hadoop, The unTar function uses unTarUsingJava function on Windows and the built-in tar utility on Unix and other OSes. As a result, a TAR entry may create a symlink under the expected extraction directory which points to an external directory. A subsequent TAR entry ma
- CVE-2020-9492Jan 26, 2021affected >= 3.2.0, < 3.2.2fixed 3.2.2
In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.0, WebHDFS client might send SPNEGO authorization header to remote URL without proper verification.
- affected < 2.6.4fixed 2.6.4
This is an information disclosure vulnerability in Apache Hadoop before 2.6.4 and 2.7.x before 2.7.2 in the short-circuit reads feature of HDFS. A local user on an HDFS DataNode may be able to craft a block token that grants unauthorized read access to random files by guessing ce
- affected < 2.8.1fixed 2.8.1
In Apache Hadoop 2.8.0, 3.0.0-alpha1, and 3.0.0-alpha2, the LinuxContainerExecutor runs docker commands as root with insufficient input validation. When the docker feature is enabled, authenticated users can run commands as root.
- affected >= 2.0.0-alpha, < 2.7.4fixed 2.7.4
In Apache Hadoop 2.x before 2.7.4, a user who can escalate to yarn user can possibly run arbitrary commands as root user.
- affected >= 0.23.0, < 0.23.11fixed 0.23.11
Apache Hadoop 0.23.x before 0.23.11 and 2.x before 2.4.1, as used in Cloudera CDH 5.0.x before 5.0.2, do not check authorization for the (1) refreshNamenodes, (2) deleteBlockPool, and (3) shutdownDatanode HDFS admin commands, which allows remote authenticated users to cause a den
- affected >= 2.6.0, < 2.6.5fixed 2.6.5
In Apache Hadoop 2.6.x before 2.6.5 and 2.7.x before 2.7.3, a remote user who can authenticate with the HDFS NameNode can possibly run arbitrary commands with the same privileges as the HDFS service.
- affected >= 2.6.0, < 2.6.5fixed 2.6.5
Apache Hadoop 2.6.x encrypts intermediate data generated by a MapReduce job and stores it along with the encryption key in a credentials file on disk when the Intermediate data encryption feature is enabled, which allows local users to obtain sensitive information by reading the
- CVE-2013-2192Jan 24, 2014affected >= 2.0.0, < 2.0.6-alphafixed 2.0.6-alpha
The RPC protocol implementation in Apache Hadoop 2.x before 2.0.6-alpha, 0.23.x before 0.23.9, and 1.x before 1.2.1, when the Kerberos security features are enabled, allows man-in-the-middle attackers to disable bidirectional authentication and obtain sensitive information by for