Maven package
org.apache.hadoop/hadoop-main
pkg:maven/org.apache.hadoop/hadoop-main
Vulnerabilities (13)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2018-11764 | — | >= 3.0.0-alpha4, < 3.0.1 | 3.0.1 | Oct 21, 2020 | Web endpoint authentication check is broken in Apache Hadoop 3.0.0-alpha4, 3.0.0-beta1, and 3.0.0. Authenticated users may impersonate any user even if no proxy user is configured. | ||
| CVE-2018-11765 | — | >= 3.0.0-alpha2, < 3.0.1 | 3.0.1 | Sep 30, 2020 | In Apache Hadoop versions 3.0.0-alpha2 to 3.0.0, 2.9.0 to 2.9.2, 2.8.0 to 2.8.5, any users can access some servlets without authentication when Kerberos authentication is enabled and SPNEGO through HTTP is not enabled. | ||
| CVE-2012-2945 | — | < 1.0.4 | 1.0.4 | Oct 28, 2019 | Hadoop 1.0.3 contains a symlink vulnerability. | ||
| CVE-2018-11768 | — | >= 2.2.0, < 2.8.5 | 2.8.5 | Oct 4, 2019 | In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.0-alpha to 2.8.4, the user/group information can be corrupted across storing in fsimage and reading back from fsimage. | ||
| CVE-2018-8029 | — | >= 2.2.0, < 2.8.4 | 2.8.4 | May 30, 2019 | In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.8.4, a user who can escalate to yarn user can possibly run arbitrary commands as root user. | ||
| CVE-2018-11767 | — | >= 2.7.5, < 2.7.7 | 2.7.7 | Mar 18, 2019 | In Apache Hadoop 2.9.0 to 2.9.1, 2.8.3 to 2.8.4, 2.7.5 to 2.7.6, KMS blocking users or granting access to users incorrectly, if the system uses non-default groups mapping mechanisms. | ||
| CVE-2018-1296 | — | < 2.7.6 | 2.7.6 | Feb 7, 2019 | In Apache Hadoop 3.0.0-alpha1 to 3.0.0, 2.9.0, 2.8.0 to 2.8.3, and 2.5.0 to 2.7.5, HDFS exposes extended attribute key/value pairs during listXAttrs, verifying only path-level search access to the directory rather than path-level read permission to the referent. | ||
| CVE-2018-11766 | — | >= 2.7.4, < 2.7.7 | 2.7.7 | Nov 27, 2018 | In Apache Hadoop 2.7.4 to 2.7.6, the security fix for CVE-2016-6811 is incomplete. A user who can escalate to yarn user can possibly run arbitrary commands as root user. | ||
| CVE-2018-8009 | — | >= 3.1.0, < 3.1.1 | 3.1.1 | Nov 13, 2018 | Apache Hadoop 3.1.0, 3.0.0-alpha to 3.0.2, 2.9.0 to 2.9.1, 2.8.0 to 2.8.4, 2.0.0-alpha to 2.7.6, 0.23.0 to 0.23.11 is exploitable via the zip slip vulnerability in places that accept a zip file. | ||
| CVE-2017-15718 | — | >= 2.7.3, < 2.7.5 | 2.7.5 | Jan 24, 2018 | The YARN NodeManager in Apache Hadoop 2.7.3 and 2.7.4 can leak the password for credential store provider used by the NodeManager to YARN Applications. | ||
| CVE-2017-15713 | — | < 2.7.5 | 2.7.5 | Jan 19, 2018 | Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and 3.0.0-alpha through 3.0.0-beta1 allows a cluster user to expose private files owned by the user running the MapReduce job history server process. The malicious user can construct a configuration file | ||
| CVE-2017-3166 | Hig | 7.8 | < 2.7.3 | 2.7.3 | Nov 13, 2017 | In Apache Hadoop versions 2.6.1 to 2.6.5, 2.7.0 to 2.7.3, and 3.0.0-alpha1, if a file in an encryption zone with access permissions that make it world readable is localized via YARN's localization mechanism, that file will be stored in a world-readable location and can be shared | |
| CVE-2012-1574 | — | >= 0.23, < 0.23.2 | 0.23.2 | Apr 12, 2012 | The Kerberos/MapReduce security functionality in Apache Hadoop 0.20.203.0 through 0.20.205.0, 0.23.x before 0.23.2, and 1.0.x before 1.0.2, as used in Cloudera CDH CDH3u0 through CDH3u2, Cloudera hadoop-0.20-sbin before 0.20.2+923.197, and other products, allows remote authentica |
- CVE-2018-11764Oct 21, 2020affected >= 3.0.0-alpha4, < 3.0.1fixed 3.0.1
Web endpoint authentication check is broken in Apache Hadoop 3.0.0-alpha4, 3.0.0-beta1, and 3.0.0. Authenticated users may impersonate any user even if no proxy user is configured.
- CVE-2018-11765Sep 30, 2020affected >= 3.0.0-alpha2, < 3.0.1fixed 3.0.1
In Apache Hadoop versions 3.0.0-alpha2 to 3.0.0, 2.9.0 to 2.9.2, 2.8.0 to 2.8.5, any users can access some servlets without authentication when Kerberos authentication is enabled and SPNEGO through HTTP is not enabled.
- CVE-2012-2945Oct 28, 2019affected < 1.0.4fixed 1.0.4
Hadoop 1.0.3 contains a symlink vulnerability.
- CVE-2018-11768Oct 4, 2019affected >= 2.2.0, < 2.8.5fixed 2.8.5
In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.0-alpha to 2.8.4, the user/group information can be corrupted across storing in fsimage and reading back from fsimage.
- CVE-2018-8029May 30, 2019affected >= 2.2.0, < 2.8.4fixed 2.8.4
In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.8.4, a user who can escalate to yarn user can possibly run arbitrary commands as root user.
- CVE-2018-11767Mar 18, 2019affected >= 2.7.5, < 2.7.7fixed 2.7.7
In Apache Hadoop 2.9.0 to 2.9.1, 2.8.3 to 2.8.4, 2.7.5 to 2.7.6, KMS blocking users or granting access to users incorrectly, if the system uses non-default groups mapping mechanisms.
- CVE-2018-1296Feb 7, 2019affected < 2.7.6fixed 2.7.6
In Apache Hadoop 3.0.0-alpha1 to 3.0.0, 2.9.0, 2.8.0 to 2.8.3, and 2.5.0 to 2.7.5, HDFS exposes extended attribute key/value pairs during listXAttrs, verifying only path-level search access to the directory rather than path-level read permission to the referent.
- CVE-2018-11766Nov 27, 2018affected >= 2.7.4, < 2.7.7fixed 2.7.7
In Apache Hadoop 2.7.4 to 2.7.6, the security fix for CVE-2016-6811 is incomplete. A user who can escalate to yarn user can possibly run arbitrary commands as root user.
- CVE-2018-8009Nov 13, 2018affected >= 3.1.0, < 3.1.1fixed 3.1.1
Apache Hadoop 3.1.0, 3.0.0-alpha to 3.0.2, 2.9.0 to 2.9.1, 2.8.0 to 2.8.4, 2.0.0-alpha to 2.7.6, 0.23.0 to 0.23.11 is exploitable via the zip slip vulnerability in places that accept a zip file.
- CVE-2017-15718Jan 24, 2018affected >= 2.7.3, < 2.7.5fixed 2.7.5
The YARN NodeManager in Apache Hadoop 2.7.3 and 2.7.4 can leak the password for credential store provider used by the NodeManager to YARN Applications.
- CVE-2017-15713Jan 19, 2018affected < 2.7.5fixed 2.7.5
Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and 3.0.0-alpha through 3.0.0-beta1 allows a cluster user to expose private files owned by the user running the MapReduce job history server process. The malicious user can construct a configuration file
- affected < 2.7.3fixed 2.7.3
In Apache Hadoop versions 2.6.1 to 2.6.5, 2.7.0 to 2.7.3, and 3.0.0-alpha1, if a file in an encryption zone with access permissions that make it world readable is localized via YARN's localization mechanism, that file will be stored in a world-readable location and can be shared
- CVE-2012-1574Apr 12, 2012affected >= 0.23, < 0.23.2fixed 0.23.2
The Kerberos/MapReduce security functionality in Apache Hadoop 0.20.203.0 through 0.20.205.0, 0.23.x before 0.23.2, and 1.0.x before 1.0.2, as used in Cloudera CDH CDH3u0 through CDH3u2, Cloudera hadoop-0.20-sbin before 0.20.2+923.197, and other products, allows remote authentica