CVE-2020-9492 – hadoop: WebHDFS client might send SPNEGO authorization header
https://notcve.org/view.php?id=CVE-2020-9492
In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.0, WebHDFS client might send SPNEGO authorization header to remote URL without proper verification. En Apache Hadoop versiones 3.2.0 hasta 3.2.1, versiones 3.0.0-alpha1 hasta 3.1.3 y versiones 2.0.0-alpha hasta 2.10.0, el cliente WebHDFS puede enviar el encabezado de autorización SPNEGO hacia una URL remota sin la comprobación apropiada A flaw was found in Apache hadoop. The WebHDFS client can send a SPNEGO authorization header to a remote URL without proper verification which could lead to an access restriction bypass. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. • https://lists.apache.org/thread.html/r0a534f1cde7555f7208e9f9b791c1ab396d215eaaef283b3a9153429%40%3Ccommits.druid.apache.org%3E https://lists.apache.org/thread.html/r49c9ab444ab1107c6a8be8a0d66602dec32a16d96c2631fec8d309fb%40%3Cissues.solr.apache.org%3E https://lists.apache.org/thread.html/r4a57de5215494c35c8304cf114be75d42df7abc6c0c54bf163c3e370%40%3Cissues.solr.apache.org%3E https://lists.apache.org/thread.html/r513758942356ccd0d14538ba18a09903fc72716d74be1cb727ea91ff%40%3Cgeneral.hadoop.apache.org%3E https://lists.apache.org/thread.html/r6341f2a468ced8872a71997aa1786ce036242413484f0fa68dc9ca02% • CWE-863: Incorrect Authorization •
CVE-2018-11764
https://notcve.org/view.php?id=CVE-2018-11764
Web endpoint authentication check is broken in Apache Hadoop 3.0.0-alpha4, 3.0.0-beta1, and 3.0.0. Authenticated users may impersonate any user even if no proxy user is configured. Una comprobación de autenticación de endpoint web no funciona en Apache Hadoop versiones 3.0.0-alpha4, 3.0.0-beta1 y 3.0.0. Los usuarios autenticados pueden hacerse pasar por cualquier usuario incluso si ningún usuario proxy es configurado • https://lists.apache.org/thread.html/r790ad0a049cde713b93589ecfd4dd2766fda0fc6807eedb6cf69f5c1%40%3Cgeneral.hadoop.apache.org%3E https://security.netapp.com/advisory/ntap-20201103-0003 • CWE-306: Missing Authentication for Critical Function •
CVE-2018-11765
https://notcve.org/view.php?id=CVE-2018-11765
In Apache Hadoop versions 3.0.0-alpha2 to 3.0.0, 2.9.0 to 2.9.2, 2.8.0 to 2.8.5, any users can access some servlets without authentication when Kerberos authentication is enabled and SPNEGO through HTTP is not enabled. En las versiones de Apache Hadoop versiones 3.0.0-alpha2 hasta 3.0.0, versiones 2.9.0 hasta 2.9.2, versiones 2.8.0 hasta 2.8.5, cualquier usuario puede acceder a algunos servlets sin autenticación cuando la autenticación Kerberos está habilitada y SPNEGO por medio de HTTP no está habilitado • https://lists.apache.org/thread.html/r17d94d132b207dad221595fd8b8b18628f5f5ec7e3f5be939ecd8928%40%3Ccommits.druid.apache.org%3E https://lists.apache.org/thread.html/r2c7f899911a04164ed1707083fcd4135f8427e04778c87d83509b0da%40%3Cgeneral.hadoop.apache.org%3E https://lists.apache.org/thread.html/r46447f38ea8c89421614e9efd7de5e656186d35e10fc97cf88477a01%40%3Ccommits.druid.apache.org%3E https://lists.apache.org/thread.html/r4dddf1705dbedfa94392913b2dad1cd2d1d89040facd389eea0b3510%40%3Ccommits.druid.apache.org%3E https://lists.apache.org/thread.html/r74825601e93582167eb7cdc2f764c74c9c6d8006fa90018562fda60f& • CWE-287: Improper Authentication •
CVE-2019-17195 – nimbus-jose-jwt: Uncaught exceptions while parsing a JWT
https://notcve.org/view.php?id=CVE-2019-17195
Connect2id Nimbus JOSE+JWT before v7.9 can throw various uncaught exceptions while parsing a JWT, which could result in an application crash (potential information disclosure) or a potential authentication bypass. Connect2id Nimbus JOSE+JWT versiones anteriores a v7.9, puede arrojar varias excepciones no captadas al analizar un JWT, lo que podría resultar en un bloqueo de la aplicación (potencial divulgación de información) o una posible omisión de autenticación. A flaw was found in Connect2id Nimbus JOSE+JWT prior to version 7.9. While processing JSON web tokens (JWT), nimbus-jose-jwt can throw various uncaught exceptions resulting in an application crash, information disclosure, or authentication bypass. The highest threat from this vulnerability is to data confidentiality and system availability. • https://bitbucket.org/connect2id/nimbus-jose-jwt/src/master/SECURITY-CHANGELOG.txt https://connect2id.com/blog/nimbus-jose-jwt-7-9 https://lists.apache.org/thread.html/8768553cda5838f59ee3865cac546e824fa740e82d9dc2a7fc44e80d%40%3Ccommon-dev.hadoop.apache.org%3E https://lists.apache.org/thread.html/e10d43984f39327e443e875adcd4a5049193a7c010e81971908caf41%40%3Ccommon-issues.hadoop.apache.org%3E https://lists.apache.org/thread.html/r2667286c8ceffaf893b16829b9612d8f7c4ee6b30362c6c1b583e3c2%40%3Ccommits.druid.apache.org%3E https://lists.apache.org/thread.ht • CWE-248: Uncaught Exception CWE-755: Improper Handling of Exceptional Conditions •
CVE-2018-11768
https://notcve.org/view.php?id=CVE-2018-11768
In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.0-alpha to 2.8.4, the user/group information can be corrupted across storing in fsimage and reading back from fsimage. En Apache Hadoop versiones 3.1.0 hasta 3.1.1, 3.0.0-alpha1 hasta 3.0.3, 2.9.0 hasta 2.9.1 y 2.0.0-alpha hasta 2.8.4, la información de user/group puede corromperse durante el almacenamiento en fsimage y una lectura nuevamente desde fsimage. • https://lists.apache.org/thread.html/2067a797b330530a6932f4b08f703b3173253d0a2b7c8c524e54adaf%40%3Cgeneral.hadoop.apache.org%3E https://lists.apache.org/thread.html/2c9cc65864be0058a5d5ed2025dfb9c700bf23d352b0c826c36ff96a%40%3Chdfs-dev.hadoop.apache.org%3E https://lists.apache.org/thread.html/72ca514e01cd5f08151e74f9929799b4cbe1b6e9e6cd24faa72ffcc6%40%3Cdev.lucene.apache.org%3E https://lists.apache.org/thread.html/9b609d4392d886711e694cf40d86f770022baf42a1b1aa97e8244c87%40%3Cdev.lucene.apache.org%3E https://lists.apache.org/thread.html/caacbbba2dcc1105163f76f3dfee5fbd22e0417e0783212787086378%4 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •