CVSS: 7.5EPSS: 0%CPEs: 12EXPL: 0CVE-2018-1296
https://notcve.org/view.php?id=CVE-2018-1296
07 Feb 2019 — In Apache Hadoop 3.0.0-alpha1 to 3.0.0, 2.9.0, 2.8.0 to 2.8.3, and 2.5.0 to 2.7.5, HDFS exposes extended attribute key/value pairs during listXAttrs, verifying only path-level search access to the directory rather than path-level read permission to the referent. En Apache Hadoop, desde la versión 3.0.0-alpha1 hasta la 3.0.0, 2.9.0, desde la 2.8.0 hasta la 2.8.3 y desde la 2.5.0 hasta la 2.7.5, HDFS expone pares de atributos de valor/clave extendidos durante listXAttrs, verificando solo el acceso de búsqueda... • http://www.securityfocus.com/bid/106764 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2018-11766
https://notcve.org/view.php?id=CVE-2018-11766
27 Nov 2018 — In Apache Hadoop 2.7.4 to 2.7.6, the security fix for CVE-2016-6811 is incomplete. A user who can escalate to yarn user can possibly run arbitrary commands as root user. En Apache Hadoop, de la versión 2.7.4 a la 2.7.6, el parche de seguridad para CVE-2016-6811 está incompleto. Un usuario que pueda escalar a usuario yarn podría ejecutar comandos arbitrarios como usuario root. • http://www.securityfocus.com/bid/106035 •
CVSS: 8.8EPSS: 13%CPEs: 12EXPL: 1CVE-2018-8009 – hadoop: arbitrary file write vulnerability / arbitrary code execution using a specially crafted zip file
https://notcve.org/view.php?id=CVE-2018-8009
13 Nov 2018 — Apache Hadoop 3.1.0, 3.0.0-alpha to 3.0.2, 2.9.0 to 2.9.1, 2.8.0 to 2.8.4, 2.0.0-alpha to 2.7.6, 0.23.0 to 0.23.11 is exploitable via the zip slip vulnerability in places that accept a zip file. Apache Hadoop 3.1.0, 3.0.0-alpha a 3.0.2, 2.9.0 a 2.9.1, 2.8.0 a 2.8.4, 2.0.0-alpha a 2.7.6 y 0.23.0 a 0.23.11 puede explotarse mediante la vulnerabilidad "zip slip" en lugares que aceptan un archivo zip. This release of Red Hat Fuse 7.5.0 serves as a replacement for Red Hat Fuse 7.4, and includes bug fixes and enha... • http://www.securityfocus.com/bid/105927 • CWE-20: Improper Input Validation CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0CVE-2017-15718 – Apache Hadoop YARN NodeManager Password Leak
https://notcve.org/view.php?id=CVE-2017-15718
24 Jan 2018 — The YARN NodeManager in Apache Hadoop 2.7.3 and 2.7.4 can leak the password for credential store provider used by the NodeManager to YARN Applications. El YARN NodeManager en Apache Hadoop 2.7.3 y 2.7.4 puede filtrar la contraseña del proveedor de almacén de contraseñas utilizado por el NodeManager en aplicaciones YARN. In Apache Hadoop 2.7.3 and 2.7.4, the security fix for CVE-2016-3086 is incomplete. The YARN NodeManager can leak the password for credential store provider used by the NodeManager to YARN A... • https://lists.apache.org/thread.html/773c93c2d8a6a52bbe97610c2b1c2ad205b970e1b8c04fb5b2fccad6%40%3Cgeneral.hadoop.apache.org%3E •
CVSS: 6.5EPSS: 0%CPEs: 16EXPL: 0CVE-2017-15713 – Apache Hadoop 0.23.x Private File Disclosure
https://notcve.org/view.php?id=CVE-2017-15713
19 Jan 2018 — Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and 3.0.0-alpha through 3.0.0-beta1 allows a cluster user to expose private files owned by the user running the MapReduce job history server process. The malicious user can construct a configuration file containing XML directives that reference sensitive files on the MapReduce job history server host. Vulnerabilidad en Apache Hadoop 0.23.x, 2.x en versiones anteriores a la 2.7.5, 2.8.x en versiones anteriores a la 2.8.3 y 3.0.0-alp... • https://lists.apache.org/thread.html/a790a251ace7213bde9f69777dedb453b1a01a6d18289c14a61d4f91%40%3Cgeneral.hadoop.apache.org%3E • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.8EPSS: 0%CPEs: 10EXPL: 0CVE-2017-3166
https://notcve.org/view.php?id=CVE-2017-3166
13 Nov 2017 — In Apache Hadoop versions 2.6.1 to 2.6.5, 2.7.0 to 2.7.3, and 3.0.0-alpha1, if a file in an encryption zone with access permissions that make it world readable is localized via YARN's localization mechanism, that file will be stored in a world-readable location and can be shared freely with any application that requests to localize that file. En Apache Hadoop, en versiones 2.6.1 a 2.6.5, 2.7.0 a 2.7.3 y 3.0.0-alpha1, si un archivo en una zona de cifrado con permisos de acceso que lo hacen legible para todos... • https://lists.apache.org/thread.html/2e16689b44bdd1976b6368c143a4017fc7159d1f2d02a5d54fe9310f%40%3Cgeneral.hadoop.apache.org%3E • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 9.8EPSS: 0%CPEs: 8EXPL: 0CVE-2012-4449
https://notcve.org/view.php?id=CVE-2012-4449
30 Oct 2017 — Apache Hadoop before 0.23.4, 1.x before 1.0.4, and 2.x before 2.0.2 generate token passwords using a 20-bit secret when Kerberos security features are enabled, which makes it easier for context-dependent attackers to crack secret keys via a brute-force attack. Apache Hadoop en versiones anteriores a la 0.23.4, las versiones 1.x anteriores a la 1.0.4 y las versiones 2.x anteriores a la 2.0.2 genera contraseñas token empleando un secreto de 20 bits cuando las características de seguridad de Kerberos están hab... • http://mail-archives.apache.org/mod_mbox/hadoop-general/201210.mbox/%3CCA+z3+9FYdPmzBEaMZ71SUqzRx=eU=o4mSHUsbrpzgR9X_F1c0Q%40mail.gmail.com%3E • CWE-327: Use of a Broken or Risky Cryptographic Algorithm •
CVSS: 9.8EPSS: 0%CPEs: 8EXPL: 0CVE-2016-3086 – Apache Hadoop YARN NodeManager Password Leak
https://notcve.org/view.php?id=CVE-2016-3086
05 Sep 2017 — The YARN NodeManager in Apache Hadoop 2.6.x before 2.6.5 and 2.7.x before 2.7.3 can leak the password for credential store provider used by the NodeManager to YARN Applications. YARN NodeManager en Apache Hadoop en versiones 2.6.x anteriores a la 2.6.5 y 2.7.x anteriores a la 2.7.3 puede filtrar la contraseña del proveedor de almacén de contraseñas utilizado por el NodeManager en aplicaciones YARN. In Apache Hadoop 2.7.3 and 2.7.4, the security fix for CVE-2016-3086 is incomplete. The YARN NodeManager can l... • http://mail-archives.apache.org/mod_mbox/hadoop-general/201701.mbox/%3C0ed32746-5a53-9051-5877-2b1abd88beb6%40apache.org%3E • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2016-5001
https://notcve.org/view.php?id=CVE-2016-5001
30 Aug 2017 — This is an information disclosure vulnerability in Apache Hadoop before 2.6.4 and 2.7.x before 2.7.2 in the short-circuit reads feature of HDFS. A local user on an HDFS DataNode may be able to craft a block token that grants unauthorized read access to random files by guessing certain fields in the token. Existe una vulnerabilidad de divulgación de información en Apache Hadoop en versiones anteriores a la 2.6.4 y en 2.7.x anteriores a la 2.7.2 en la característica short-circuit reads en HDFS. Un usuario loc... • http://seclists.org/oss-sec/2016/q4/698 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 8.5EPSS: 0%CPEs: 3EXPL: 0CVE-2017-7669
https://notcve.org/view.php?id=CVE-2017-7669
02 Jun 2017 — In Apache Hadoop 2.8.0, 3.0.0-alpha1, and 3.0.0-alpha2, the LinuxContainerExecutor runs docker commands as root with insufficient input validation. When the docker feature is enabled, authenticated users can run commands as root. En Hadoop versiones 2.8.0, 3.0.0-alpha1 y 3.0.0-alpha2 de Apache, el LinuxContainerExecutor ejecuta comandos docker como root con una comprobación de entrada insuficiente. Cuando la funcionalidad docker está habilitada, los usuarios autenticados pueden ejecutar comandos como root. • http://www.securityfocus.com/bid/98795 • CWE-20: Improper Input Validation •