Cloudera
Products
14- 22 CVEs
- 10 CVEs
- 8 CVEs
- 4 CVEs
- 2 CVEs
- 2 CVEs
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
Recent CVEs
52| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2015-4166 | Cri | 0.64 | 9.8 | 0.01 | Mar 23, 2017 | Cloudera Key Trustee Server before 5.4.3 does not store keys synchronously, which might allow attackers to have unspecified impact via vectors related to loss of an encryption key. | ||
| CVE-2024-54660 | Hig | 0.57 | 8.7 | 0.01 | Jan 16, 2025 | A JNDI injection issue was discovered in Cloudera JDBC Connector for Hive before 2.6.26 and JDBC Connector for Impala before 2.6.35. Attackers can inject malicious parameters into the JDBC URL, triggering JNDI injection during the process when the JDBC Driver uses this URL to… | ||
| CVE-2017-15536 | Hig | 0.57 | 8.8 | 0.01 | Feb 5, 2018 | An issue was discovered in Cloudera Data Science Workbench (CDSW) 1.x before 1.2.0. Several web application vulnerabilities allow malicious authenticated users of CDSW to escalate privileges in CDSW. CDSW users can exploit these vulnerabilities in combination to gain root access… | ||
| CVE-2016-6605 | Hig | 0.49 | 7.5 | 0.01 | Apr 10, 2017 | Impala in CDH 5.2.0 through 5.7.2 and 5.8.0 allows remote attackers to bypass Setry authorization. | ||
| CVE-2016-4950 | Hig | 0.49 | 7.5 | 0.02 | Mar 7, 2017 | Cloudera Manager 5.5 and earlier allows remote attackers to enumerate user sessions via a request to /api/v11/users/sessions. | ||
| CVE-2016-4949 | Hig | 0.49 | 7.5 | 0.02 | Mar 7, 2017 | Cloudera Manager 5.5 and earlier allows remote attackers to obtain sensitive information via a (1) stderr.log or (2) stdout.log value in the filename parameter to /cmf/process/<process_id>/logs. | ||
| CVE-2014-0229 | Med | 0.42 | 6.5 | 0.02 | Mar 23, 2017 | Apache Hadoop 0.23.x before 0.23.11 and 2.x before 2.4.1, as used in Cloudera CDH 5.0.x before 5.0.2, do not check authorization for the (1) refreshNamenodes, (2) deleteBlockPool, and (3) shutdownDatanode HDFS admin commands, which allows remote authenticated users to cause a… | ||
| CVE-2018-11649 | Med | 0.40 | 6.1 | 0.01 | Jun 1, 2018 | Hue 3.12 has XSS via the /pig/save/ name and script parameters. | ||
| CVE-2016-4948 | Med | 0.40 | 6.1 | 0.01 | Mar 7, 2017 | Multiple cross-site scripting (XSS) vulnerabilities in Cloudera Manager 5.5 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) Template Name field when renaming a template; (2) KDC Server host, (3) Kerberos Security Realm, (4) Kerberos… | ||
| CVE-2016-4946 | Med | 0.40 | 6.1 | 0.01 | Mar 7, 2017 | Multiple cross-site scripting (XSS) vulnerabilities in Cloudera HUE 3.9.0 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) First name or (2) Last name field in the HUE Users page. | ||
| CVE-2016-4947 | Med | 0.35 | 5.3 | 0.01 | Mar 7, 2017 | Cloudera HUE 3.9.0 and earlier allows remote attackers to enumerate user accounts via a request to desktop/api/users/autocomplete. | ||
| CVE-2015-8094 | Med | 0.33 | 6.1 | 0.02 | May 22, 2018 | Open redirect vulnerability in Cloudera HUE before 3.10.0 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the next parameter. | ||
| CVE-2015-2263 | Low | 0.21 | 3.3 | 0.00 | Mar 23, 2017 | Cloudera Manager 4.x, 5.0.x before 5.0.6, 5.1.x before 5.1.5, 5.2.x before 5.2.5, and 5.3.x before 5.3.3 uses global read permissions for files in its configuration directory when starting YARN NodeManager, which allows local users to obtain sensitive information by reading the… | ||
| CVE-2015-4078 | Low | 0.20 | 3.1 | 0.01 | Mar 23, 2017 | Cloudera Navigator 2.2.x before 2.2.4 and 2.3.x before 2.3.3 include support for SSLv3 when configured to use SSL/TLS, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, a variant of CVE-2014-3566 (aka POODLE). | ||
| CVE-2013-6446 | Low | 0.20 | 3.1 | 0.01 | Mar 23, 2017 | The JobHistory Server in Cloudera CDH 4.x before 4.6.0 and 5.x before 5.0.0 Beta 2, when using MRv2/YARN with HTTP authentication, allows remote authenticated users to obtain sensitive job information by leveraging failure to enforce job ACLs. | ||
| CVE-2025-3884 | 0.01 | — | 0.02 | May 22, 2025 | Cloudera Hue Ace Editor Directory Traversal Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Cloudera Hue. Authentication is not required to exploit this vulnerability. The specific… | |||
| CVE-2023-29751 | 0.00 | — | 0.00 | Jun 9, 2023 | An issue found in Yandex Navigator v.6.60 for Android allows unauthorized apps to cause a persistent denial of service by manipulating the SharedPreference files. | |||
| CVE-2021-32483 | 0.00 | — | 0.01 | Nov 8, 2021 | Cloudera Manager 7.2.4 has Incorrect Access Control, allowing Escalation of Privileges to view the restricted Dashboard. | |||
| CVE-2021-30132 | 0.00 | — | 0.01 | Nov 8, 2021 | Cloudera Manager 7.2.4 has Incorrect Access Control, allowing Escalation of Privileges. | |||
| CVE-2021-29243 | 0.00 | — | 0.01 | Nov 8, 2021 | Cloudera Manager 5.x, 6.x, 7.1.x, 7.2.x, and 7.3.x allows XSS. |
- risk 0.64cvss 9.8epss 0.01
Cloudera Key Trustee Server before 5.4.3 does not store keys synchronously, which might allow attackers to have unspecified impact via vectors related to loss of an encryption key.
- risk 0.57cvss 8.7epss 0.01
A JNDI injection issue was discovered in Cloudera JDBC Connector for Hive before 2.6.26 and JDBC Connector for Impala before 2.6.35. Attackers can inject malicious parameters into the JDBC URL, triggering JNDI injection during the process when the JDBC Driver uses this URL to…
- risk 0.57cvss 8.8epss 0.01
An issue was discovered in Cloudera Data Science Workbench (CDSW) 1.x before 1.2.0. Several web application vulnerabilities allow malicious authenticated users of CDSW to escalate privileges in CDSW. CDSW users can exploit these vulnerabilities in combination to gain root access…
- risk 0.49cvss 7.5epss 0.01
Impala in CDH 5.2.0 through 5.7.2 and 5.8.0 allows remote attackers to bypass Setry authorization.
- risk 0.49cvss 7.5epss 0.02
Cloudera Manager 5.5 and earlier allows remote attackers to enumerate user sessions via a request to /api/v11/users/sessions.
- risk 0.49cvss 7.5epss 0.02
Cloudera Manager 5.5 and earlier allows remote attackers to obtain sensitive information via a (1) stderr.log or (2) stdout.log value in the filename parameter to /cmf/process/<process_id>/logs.
- risk 0.42cvss 6.5epss 0.02
Apache Hadoop 0.23.x before 0.23.11 and 2.x before 2.4.1, as used in Cloudera CDH 5.0.x before 5.0.2, do not check authorization for the (1) refreshNamenodes, (2) deleteBlockPool, and (3) shutdownDatanode HDFS admin commands, which allows remote authenticated users to cause a…
- risk 0.40cvss 6.1epss 0.01
Hue 3.12 has XSS via the /pig/save/ name and script parameters.
- risk 0.40cvss 6.1epss 0.01
Multiple cross-site scripting (XSS) vulnerabilities in Cloudera Manager 5.5 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) Template Name field when renaming a template; (2) KDC Server host, (3) Kerberos Security Realm, (4) Kerberos…
- risk 0.40cvss 6.1epss 0.01
Multiple cross-site scripting (XSS) vulnerabilities in Cloudera HUE 3.9.0 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) First name or (2) Last name field in the HUE Users page.
- risk 0.35cvss 5.3epss 0.01
Cloudera HUE 3.9.0 and earlier allows remote attackers to enumerate user accounts via a request to desktop/api/users/autocomplete.
- risk 0.33cvss 6.1epss 0.02
Open redirect vulnerability in Cloudera HUE before 3.10.0 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the next parameter.
- risk 0.21cvss 3.3epss 0.00
Cloudera Manager 4.x, 5.0.x before 5.0.6, 5.1.x before 5.1.5, 5.2.x before 5.2.5, and 5.3.x before 5.3.3 uses global read permissions for files in its configuration directory when starting YARN NodeManager, which allows local users to obtain sensitive information by reading the…
- risk 0.20cvss 3.1epss 0.01
Cloudera Navigator 2.2.x before 2.2.4 and 2.3.x before 2.3.3 include support for SSLv3 when configured to use SSL/TLS, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, a variant of CVE-2014-3566 (aka POODLE).
- risk 0.20cvss 3.1epss 0.01
The JobHistory Server in Cloudera CDH 4.x before 4.6.0 and 5.x before 5.0.0 Beta 2, when using MRv2/YARN with HTTP authentication, allows remote authenticated users to obtain sensitive job information by leveraging failure to enforce job ACLs.
- CVE-2025-3884May 22, 2025risk 0.01cvss —epss 0.02
Cloudera Hue Ace Editor Directory Traversal Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Cloudera Hue. Authentication is not required to exploit this vulnerability. The specific…
- CVE-2023-29751Jun 9, 2023risk 0.00cvss —epss 0.00
An issue found in Yandex Navigator v.6.60 for Android allows unauthorized apps to cause a persistent denial of service by manipulating the SharedPreference files.
- CVE-2021-32483Nov 8, 2021risk 0.00cvss —epss 0.01
Cloudera Manager 7.2.4 has Incorrect Access Control, allowing Escalation of Privileges to view the restricted Dashboard.
- CVE-2021-30132Nov 8, 2021risk 0.00cvss —epss 0.01
Cloudera Manager 7.2.4 has Incorrect Access Control, allowing Escalation of Privileges.
- CVE-2021-29243Nov 8, 2021risk 0.00cvss —epss 0.01
Cloudera Manager 5.x, 6.x, 7.1.x, 7.2.x, and 7.3.x allows XSS.