VYPR

Hadoop

by Apache

Source repositories

CVEs (18)

  • CVE-2012-4449CriOct 30, 2017
    risk 0.64cvss 9.8epss 0.01

    Apache Hadoop before 0.23.4, 1.x before 1.0.4, and 2.x before 2.0.2 generate token passwords using a 20-bit secret when Kerberos security features are enabled, which makes it easier for context-dependent attackers to crack secret keys via a brute-force attack.

  • CVE-2016-3086CriSep 5, 2017
    risk 0.64cvss 9.8epss 0.04

    The YARN NodeManager in Apache Hadoop 2.6.x before 2.6.5 and 2.7.x before 2.7.3 can leak the password for credential store provider used by the NodeManager to YARN Applications.

  • CVE-2016-6811HigApr 11, 2017
    risk 0.57cvss 8.8epss 0.03

    In Apache Hadoop 2.x before 2.7.4, a user who can escalate to yarn user can possibly run arbitrary commands as root user.

  • CVE-2016-5393HigNov 29, 2016
    risk 0.57cvss 8.8epss 0.03

    In Apache Hadoop 2.6.x before 2.6.5 and 2.7.x before 2.7.3, a remote user who can authenticate with the HDFS NameNode can possibly run arbitrary commands with the same privileges as the HDFS service.

  • CVE-2015-7430HigJan 2, 2016
    risk 0.55cvss 8.4epss 0.01

    The Hadoop connector 1.1.1, 2.4, 2.5, and 2.7.0-0 before 2.7.0-3 for IBM Spectrum Scale and General Parallel File System (GPFS) allows local users to read or write to arbitrary GPFS data via unspecified vectors.

  • CVE-2017-3166HigNov 13, 2017
    risk 0.51cvss 7.8epss 0.00

    In Apache Hadoop versions 2.6.1 to 2.6.5, 2.7.0 to 2.7.3, and 3.0.0-alpha1, if a file in an encryption zone with access permissions that make it world readable is localized via YARN's localization mechanism, that file will be stored in a world-readable location and can be shared…

  • CVE-2017-7669HigJun 5, 2017
    risk 0.49cvss 7.5epss 0.02

    In Apache Hadoop 2.8.0, 3.0.0-alpha1, and 3.0.0-alpha2, the LinuxContainerExecutor runs docker commands as root with insufficient input validation. When the docker feature is enabled, authenticated users can run commands as root.

  • CVE-2017-3162HigApr 26, 2017
    risk 0.48cvss 7.3epss 0.06

    HDFS clients interact with a servlet on the DataNode to browse the HDFS namespace. The NameNode is provided as a query parameter that is not validated in Apache Hadoop before 2.7.0.

  • CVE-2014-0229MedMar 23, 2017
    risk 0.42cvss 6.5epss 0.02

    Apache Hadoop 0.23.x before 0.23.11 and 2.x before 2.4.1, as used in Cloudera CDH 5.0.x before 5.0.2, do not check authorization for the (1) refreshNamenodes, (2) deleteBlockPool, and (3) shutdownDatanode HDFS admin commands, which allows remote authenticated users to cause a…

  • CVE-2017-3161MedApr 26, 2017
    risk 0.40cvss 6.1epss 0.04

    The HDFS web UI in Apache Hadoop before 2.7.0 is vulnerable to a cross-site scripting (XSS) attack through an unescaped query parameter.

  • CVE-2015-1776MedApr 19, 2016
    risk 0.40cvss 6.2epss 0.00

    Apache Hadoop 2.6.x encrypts intermediate data generated by a MapReduce job and stores it along with the encryption key in a credentials file on disk when the Intermediate data encryption feature is enabled, which allows local users to obtain sensitive information by reading the…

  • CVE-2016-5001MedAug 30, 2017
    risk 0.36cvss 5.5epss 0.01

    This is an information disclosure vulnerability in Apache Hadoop before 2.6.4 and 2.7.x before 2.7.2 in the short-circuit reads feature of HDFS. A local user on an HDFS DataNode may be able to craft a block token that grants unauthorized read access to random files by guessing…

  • CVE-2025-27821Jan 26, 2026
    risk 0.00cvss epss 0.01

    Out-of-bounds Write vulnerability in Apache Hadoop HDFS native client. This issue affects Apache Hadoop: from 3.2.0 before 3.4.2. Users are recommended to upgrade to version 3.4.2, which fixes the issue.

  • CVE-2018-11767Mar 18, 2019
    risk 0.00cvss epss 0.04

    In Apache Hadoop 2.9.0 to 2.9.1, 2.8.3 to 2.8.4, 2.7.5 to 2.7.6, KMS blocking users or granting access to users incorrectly, if the system uses non-default groups mapping mechanisms.

  • CVE-2014-3627Dec 5, 2014
    risk 0.00cvss epss 0.03

    The YARN NodeManager daemon in Apache Hadoop 0.23.0 through 0.23.11 and 2.x before 2.5.2, when using Kerberos authentication, allows remote cluster users to change the permissions of certain files to world-readable via a symlink attack in a public tar archive, which is not…

  • CVE-2013-2192Jan 24, 2014
    risk 0.00cvss epss 0.01

    The RPC protocol implementation in Apache Hadoop 2.x before 2.0.6-alpha, 0.23.x before 0.23.9, and 1.x before 1.2.1, when the Kerberos security features are enabled, allows man-in-the-middle attackers to disable bidirectional authentication and obtain sensitive information by…

  • CVE-2012-3376Jul 12, 2012
    risk 0.00cvss epss 0.03

    DataNodes in Apache Hadoop 2.0.0 alpha does not check the BlockTokens of clients when Kerberos is enabled and the DataNode has checked out the same BlockPool twice from a NodeName, which might allow remote clients to read arbitrary blocks, write to blocks to which they only have…

  • CVE-2012-1574Apr 12, 2012
    risk 0.00cvss epss 0.05

    The Kerberos/MapReduce security functionality in Apache Hadoop 0.20.203.0 through 0.20.205.0, 0.23.x before 0.23.2, and 1.0.x before 1.0.2, as used in Cloudera CDH CDH3u0 through CDH3u2, Cloudera hadoop-0.20-sbin before 0.20.2+923.197, and other products, allows remote…