CVSS: 9.8EPSS: 0%CPEs: 8EXPL: 0CVE-2016-3086 – Apache Hadoop YARN NodeManager Password Leak
https://notcve.org/view.php?id=CVE-2016-3086
05 Sep 2017 — The YARN NodeManager in Apache Hadoop 2.6.x before 2.6.5 and 2.7.x before 2.7.3 can leak the password for credential store provider used by the NodeManager to YARN Applications. YARN NodeManager en Apache Hadoop en versiones 2.6.x anteriores a la 2.6.5 y 2.7.x anteriores a la 2.7.3 puede filtrar la contraseña del proveedor de almacén de contraseñas utilizado por el NodeManager en aplicaciones YARN. In Apache Hadoop 2.7.3 and 2.7.4, the security fix for CVE-2016-3086 is incomplete. The YARN NodeManager can l... • http://mail-archives.apache.org/mod_mbox/hadoop-general/201701.mbox/%3C0ed32746-5a53-9051-5877-2b1abd88beb6%40apache.org%3E • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2016-5001
https://notcve.org/view.php?id=CVE-2016-5001
30 Aug 2017 — This is an information disclosure vulnerability in Apache Hadoop before 2.6.4 and 2.7.x before 2.7.2 in the short-circuit reads feature of HDFS. A local user on an HDFS DataNode may be able to craft a block token that grants unauthorized read access to random files by guessing certain fields in the token. Existe una vulnerabilidad de divulgación de información en Apache Hadoop en versiones anteriores a la 2.6.4 y en 2.7.x anteriores a la 2.7.2 en la característica short-circuit reads en HDFS. Un usuario loc... • http://seclists.org/oss-sec/2016/q4/698 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.1EPSS: 2%CPEs: 1EXPL: 0CVE-2017-3161
https://notcve.org/view.php?id=CVE-2017-3161
26 Apr 2017 — The HDFS web UI in Apache Hadoop before 2.7.0 is vulnerable to a cross-site scripting (XSS) attack through an unescaped query parameter. El interface web HDFS de Apache Hadoop anterior a 2.7.0 es vulnerable a un ataque cross-site scripting a través de un parámetro mal filtrado. • http://www.securityfocus.com/bid/98025 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 1%CPEs: 1EXPL: 0CVE-2017-3162 – Apache Hadoop DataNode Missed Validation
https://notcve.org/view.php?id=CVE-2017-3162
26 Apr 2017 — HDFS clients interact with a servlet on the DataNode to browse the HDFS namespace. The NameNode is provided as a query parameter that is not validated in Apache Hadoop before 2.7.0. Vulnerabilidad en HDFS de Hadoop en versiones anteriores a la 2.7.0, a través de la cual clientes de HDFS podrían interactuar con un servlet en el DataNode para poder explorar el espacio de nombres HDFS. El NameNode se proporcionaría como un parámetro de consulta que no estaría validado en las versiones mencionadas de Apache Had... • http://www.securityfocus.com/bid/98017 • CWE-20: Improper Input Validation •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2016-6811 – Apache Hadoop 2.7.3 Privilege Escalation
https://notcve.org/view.php?id=CVE-2016-6811
11 Apr 2017 — In Apache Hadoop 2.x before 2.7.4, a user who can escalate to yarn user can possibly run arbitrary commands as root user. En Apache Hadoop en versiones 2.x anteriores a la 2.7.4, un usuario que pueda escalar a usuario yarn podría ejecutar comandos arbitrarios como usuario root. Apache Hadoop versions 2.2.0 through 2.7.3 suffer from a privilege escalation vulnerability. • https://lists.apache.org/thread.html/9ba3c12bbdfd5b2cae60909e48f92608e00c8d99196390b8cfeca307%40%3Cgeneral.hadoop.apache.org%3E • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 8.8EPSS: 2%CPEs: 8EXPL: 0CVE-2016-5393
https://notcve.org/view.php?id=CVE-2016-5393
29 Nov 2016 — In Apache Hadoop 2.6.x before 2.6.5 and 2.7.x before 2.7.3, a remote user who can authenticate with the HDFS NameNode can possibly run arbitrary commands with the same privileges as the HDFS service. En Apache Hadoop 2.6.x en versiones anteriores a 2.6.5 y 2.7.x en versiones anteriores a 2.7.3, un usuario remoto que pueda autentificarse con el HDFS NameNode podría posiblemente ejecutar comandos arbitrarios con los mismos privilegios que el servicio HDFS. • http://mail-archives.apache.org/mod_mbox/hadoop-general/201611.mbox/%3CCAA0W1bTbUmUUSF1rjRpX-2DvWutcrPt7TJSWUcSLg1F0gyHG1Q%40mail.gmail.com%3E • CWE-284: Improper Access Control •
CVSS: 8.4EPSS: 0%CPEs: 4EXPL: 0CVE-2015-7430
https://notcve.org/view.php?id=CVE-2015-7430
02 Jan 2016 — The Hadoop connector 1.1.1, 2.4, 2.5, and 2.7.0-0 before 2.7.0-3 for IBM Spectrum Scale and General Parallel File System (GPFS) allows local users to read or write to arbitrary GPFS data via unspecified vectors. El conector Hadoop 1.1.1, 2.4, 2.5 y 2.7.0-0 en versiones anteriores a 2.7.0-3 para IBM Spectrum Scale y General Parallel File System (GPFS) permite a usuarios locales leer o escribir datos GPFS arbitrarios a través de vectores no especificados. • http://www-01.ibm.com/support/docview.wss?uid=isg3T1022979 • CWE-264: Permissions, Privileges, and Access Controls •