CVSS: 8.8EPSS: 1%CPEs: 7EXPL: 0CVE-2020-9492 – hadoop: WebHDFS client might send SPNEGO authorization header
https://notcve.org/view.php?id=CVE-2020-9492
In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.0, WebHDFS client might send SPNEGO authorization header to remote URL without proper verification. En Apache Hadoop versiones 3.2.0 hasta 3.2.1, versiones 3.0.0-alpha1 hasta 3.1.3 y versiones 2.0.0-alpha hasta 2.10.0, el cliente WebHDFS puede enviar el encabezado de autorización SPNEGO hacia una URL remota sin la comprobación apropiada A flaw was found in Apache hadoop. The WebHDFS client can send a SPNEGO authorization header to a remote URL without proper verification which could lead to an access restriction bypass. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. • https://lists.apache.org/thread.html/r0a534f1cde7555f7208e9f9b791c1ab396d215eaaef283b3a9153429%40%3Ccommits.druid.apache.org%3E https://lists.apache.org/thread.html/r49c9ab444ab1107c6a8be8a0d66602dec32a16d96c2631fec8d309fb%40%3Cissues.solr.apache.org%3E https://lists.apache.org/thread.html/r4a57de5215494c35c8304cf114be75d42df7abc6c0c54bf163c3e370%40%3Cissues.solr.apache.org%3E https://lists.apache.org/thread.html/r513758942356ccd0d14538ba18a09903fc72716d74be1cb727ea91ff%40%3Cgeneral.hadoop.apache.org%3E https://lists.apache.org/thread.html/r6341f2a468ced8872a71997aa1786ce036242413484f0fa68dc9ca02% • CWE-863: Incorrect Authorization •
CVSS: 9.0EPSS: 0%CPEs: 3EXPL: 0CVE-2018-11764
https://notcve.org/view.php?id=CVE-2018-11764
Web endpoint authentication check is broken in Apache Hadoop 3.0.0-alpha4, 3.0.0-beta1, and 3.0.0. Authenticated users may impersonate any user even if no proxy user is configured. Una comprobación de autenticación de endpoint web no funciona en Apache Hadoop versiones 3.0.0-alpha4, 3.0.0-beta1 y 3.0.0. Los usuarios autenticados pueden hacerse pasar por cualquier usuario incluso si ningún usuario proxy es configurado • https://lists.apache.org/thread.html/r790ad0a049cde713b93589ecfd4dd2766fda0fc6807eedb6cf69f5c1%40%3Cgeneral.hadoop.apache.org%3E https://security.netapp.com/advisory/ntap-20201103-0003 • CWE-306: Missing Authentication for Critical Function •
CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 0CVE-2018-11765
https://notcve.org/view.php?id=CVE-2018-11765
In Apache Hadoop versions 3.0.0-alpha2 to 3.0.0, 2.9.0 to 2.9.2, 2.8.0 to 2.8.5, any users can access some servlets without authentication when Kerberos authentication is enabled and SPNEGO through HTTP is not enabled. En las versiones de Apache Hadoop versiones 3.0.0-alpha2 hasta 3.0.0, versiones 2.9.0 hasta 2.9.2, versiones 2.8.0 hasta 2.8.5, cualquier usuario puede acceder a algunos servlets sin autenticación cuando la autenticación Kerberos está habilitada y SPNEGO por medio de HTTP no está habilitado • https://lists.apache.org/thread.html/r17d94d132b207dad221595fd8b8b18628f5f5ec7e3f5be939ecd8928%40%3Ccommits.druid.apache.org%3E https://lists.apache.org/thread.html/r2c7f899911a04164ed1707083fcd4135f8427e04778c87d83509b0da%40%3Cgeneral.hadoop.apache.org%3E https://lists.apache.org/thread.html/r46447f38ea8c89421614e9efd7de5e656186d35e10fc97cf88477a01%40%3Ccommits.druid.apache.org%3E https://lists.apache.org/thread.html/r4dddf1705dbedfa94392913b2dad1cd2d1d89040facd389eea0b3510%40%3Ccommits.druid.apache.org%3E https://lists.apache.org/thread.html/r74825601e93582167eb7cdc2f764c74c9c6d8006fa90018562fda60f& • CWE-287: Improper Authentication •
CVSS: 7.5EPSS: 0%CPEs: 27EXPL: 0CVE-2018-11768
https://notcve.org/view.php?id=CVE-2018-11768
In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.0-alpha to 2.8.4, the user/group information can be corrupted across storing in fsimage and reading back from fsimage. En Apache Hadoop versiones 3.1.0 hasta 3.1.1, 3.0.0-alpha1 hasta 3.0.3, 2.9.0 hasta 2.9.1 y 2.0.0-alpha hasta 2.8.4, la información de user/group puede corromperse durante el almacenamiento en fsimage y una lectura nuevamente desde fsimage. • https://lists.apache.org/thread.html/2067a797b330530a6932f4b08f703b3173253d0a2b7c8c524e54adaf%40%3Cgeneral.hadoop.apache.org%3E https://lists.apache.org/thread.html/2c9cc65864be0058a5d5ed2025dfb9c700bf23d352b0c826c36ff96a%40%3Chdfs-dev.hadoop.apache.org%3E https://lists.apache.org/thread.html/72ca514e01cd5f08151e74f9929799b4cbe1b6e9e6cd24faa72ffcc6%40%3Cdev.lucene.apache.org%3E https://lists.apache.org/thread.html/9b609d4392d886711e694cf40d86f770022baf42a1b1aa97e8244c87%40%3Cdev.lucene.apache.org%3E https://lists.apache.org/thread.html/caacbbba2dcc1105163f76f3dfee5fbd22e0417e0783212787086378%4 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVSS: 9.0EPSS: 0%CPEs: 10EXPL: 0CVE-2018-8029
https://notcve.org/view.php?id=CVE-2018-8029
In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.8.4, a user who can escalate to yarn user can possibly run arbitrary commands as root user. En las versiones 3.0.0-alpha1 hasta 3.1.0, 2.9.0 hasta 2.9.1, y 2.2.0 hasta 2.8.4 de Apache Hadoop, Un usuario que pueda escalar a usuario yarn puede ejecutar comandos arbitrarios como usuario root. • http://www.securityfocus.com/bid/108518 https://lists.apache.org/thread.html/0b8d58e02dbd0fb8bf7320c514fe58da1d6728bdc150f1ba04e0d9fc%40%3Cissues.hbase.apache.org%3E https://lists.apache.org/thread.html/17084c09e6dedf60efe08028b429c92ffd28aacc28454e4fa924578a%40%3Cgeneral.hadoop.apache.org%3E https://lists.apache.org/thread.html/a0164b87660223a2d491f83c88f905fe1a9fa8dc795148d9b0d968c8%40%3Cdev.hbase.apache.org%3E https://lists.apache.org/thread.html/a97c53a81e639ca2fc7b8f61a4fcd1842c2a78544041244a7c624727%40%3Cissues.hbase.apache.org%3E https://lists.apache.org/thread.ht •