CVSS: 8.1EPSS: 0%CPEs: 2EXPL: 0CVE-2018-11744
https://notcve.org/view.php?id=CVE-2018-11744
11 Jul 2019 — Cloudera Manager through 5.15 has Incorrect Access Control. Cloudera Manager hasta la versión 5.15, presenta un Control de Acceso Incorrecto. • https://www.cloudera.com/documentation/other/security-bulletins/topics/Security-Bulletin.html • CWE-284: Improper Access Control •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2017-9326
https://notcve.org/view.php?id=CVE-2017-9326
03 Jul 2019 — The keystore password for the Spark History Server may be exposed in unsecured files under the /var/run/cloudera-scm-agent directory managed by Cloudera Manager. The keystore file itself is not exposed. La contraseña del almacén de claves para Spark History Server puede estar expuesta en archivos no protegidos en el directorio /var/run/cloudera-scm-agent administrado por Cloudera Manager. El archivo de almacén de claves en sí no está expuesto. • https://www.cloudera.com/documentation/other/security-bulletins/topics/Security-Bulletin.html • CWE-255: Credentials Management Errors •
CVSS: 6.5EPSS: 0%CPEs: 3EXPL: 0CVE-2017-9327
https://notcve.org/view.php?id=CVE-2017-9327
03 Jul 2019 — Secret data of processes managed by CM is not secured by file permissions. Los datos secretos de los procesos administrados por CM no están protegidos por permisos de archivo. • https://www.cloudera.com/documentation/other/security-bulletins/topics/Security-Bulletin.html • CWE-275: Permission Issues •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2018-15913
https://notcve.org/view.php?id=CVE-2018-15913
20 Jun 2019 — An issue was discovered in Cloudera Manager 5.x through 5.15.0. One type of page in Cloudera Manager uses a 'returnUrl' parameter to redirect the user to another page in Cloudera Manager once a wizard is completed. The validity of this parameter was not checked. As a result, the user could be automatically redirected to an attacker's external site or perform a malicious JavaScript function that results in cross-site scripting (XSS). This was fixed by not allowing any value in the returnUrl parameter with pa... • https://www.cloudera.com/documentation/other/security-bulletins/topics/Security-Bulletin.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 8EXPL: 0CVE-2018-5798
https://notcve.org/view.php?id=CVE-2018-5798
07 Jun 2019 — This CVE relates to an unspecified cross site scripting vulnerability in Cloudera Manager. Este CVE se relaciona con una vulnerabilidad de cross site scripting no especificada en Cloudera Manager. • https://www.cloudera.com • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.5EPSS: 0%CPEs: 7EXPL: 0CVE-2018-6185
https://notcve.org/view.php?id=CVE-2018-6185
07 Jun 2019 — In Cloudera Navigator Key Trustee KMS 5.12 and 5.13, incorrect default ACL values allow remote access to purge and undelete API calls on encryption zone keys. The Navigator Key Trustee KMS includes 2 API calls in addition to those in Apache Hadoop KMS: purge and undelete. The KMS ACL values for these commands are keytrustee.kms.acl.PURGE and keytrustee.kms.acl.UNDELETE respectively. The default value for the ACLs in Key Trustee KMS 5.12.0 and 5.13.0 is "*" which allows anyone with knowledge of the name of a... • https://www.cloudera.com • CWE-310: Cryptographic Issues •
CVSS: 6.5EPSS: 0%CPEs: 3EXPL: 0CVE-2018-10815
https://notcve.org/view.php?id=CVE-2018-10815
24 May 2019 — An issue was discovered in Cloudera Manager before 5.13.4, 5.14.x before 5.14.4, and 5.15.x before 5.15.1. A read-only user can access sensitive cluster information. Se detectó un problema en Cloudera Manager versión anterior a 5.13.4, versión 5.14.x anterior a 5.14.4 y versión 5.15.x anterior a 5.15.1. Un usuario de solo lectura puede acceder a información confidencial del clúster. • https://www.cloudera.com • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 3.3EPSS: 0%CPEs: 41EXPL: 0CVE-2015-2263
https://notcve.org/view.php?id=CVE-2015-2263
23 Mar 2017 — Cloudera Manager 4.x, 5.0.x before 5.0.6, 5.1.x before 5.1.5, 5.2.x before 5.2.5, and 5.3.x before 5.3.3 uses global read permissions for files in its configuration directory when starting YARN NodeManager, which allows local users to obtain sensitive information by reading the files, as demonstrated by yarn.keytab or ssl-server.xml in /var/run/cloudera-scm-agent/process. Cloudera Manager 4.x, 5.0.x en versiones anteriores a 5.0.6, 5.1.x en versiones anteriores a 5.1.5, 5.2.x en versiones anteriores a 5.2.5... • https://www.cloudera.com/documentation/other/security-bulletins/topics/csb_topic_1.html#topic_1_0_3 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 3.5EPSS: 0%CPEs: 12EXPL: 0CVE-2015-4078
https://notcve.org/view.php?id=CVE-2015-4078
23 Mar 2017 — Cloudera Navigator 2.2.x before 2.2.4 and 2.3.x before 2.3.3 include support for SSLv3 when configured to use SSL/TLS, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, a variant of CVE-2014-3566 (aka POODLE). Cloudera Navigator 2.2.x en versiones anteriores a 2.2.4 y 2.3.x en versiones anteriores a 2.3.3 incluyen soporte para SSLv3 cuando está configurado para utilizar SSL/TLS, lo que hace más fácil a atacantes man-in-the-middle obtener datos en tex... • https://www.cloudera.com/documentation/other/security-bulletins/topics/csb_topic_1.html#concept_o1q_wrm_js • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2014-8733
https://notcve.org/view.php?id=CVE-2014-8733
10 Feb 2015 — Cloudera Manager 5.2.0, 5.2.1, and 5.3.0 stores the LDAP bind password in plaintext in unspecified world-readable files under /etc/hadoop, which allows local users to obtain this password. Cloudera Manager 5.2.0, 5.2.1, y 5.3.0 almacena la contraseña del enlace LDAP en texto plano en ficheros de lectura universal no especificados bajo /etc/hadoop, lo que permite a usuarios locales obtener esta contraseña. • http://www.cloudera.com/content/cloudera/en/documentation/security-bulletins/Security-Bulletin/csb_topic_2.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •