Page 5 of 25 results (0.021 seconds)

CVSS: 5.0EPSS: 0%CPEs: 26EXPL: 0

The YARN NodeManager daemon in Apache Hadoop 0.23.0 through 0.23.11 and 2.x before 2.5.2, when using Kerberos authentication, allows remote cluster users to change the permissions of certain files to world-readable via a symlink attack in a public tar archive, which is not properly handled during localization, related to distributed cache. El demonio YARN NodeManager en Apache Hadoop 0.23.0 hasta 0.23.11 y 2.x anterior a 2.5.2, cuando utiliza la autenticación Kerberos, permite a usuarios remotos de clúster cambiar los permisos de ciertos ficheros a de lectura universal a través de un ataque de enlace simbólico en un archivo tar público, lo que no se maneja correctamente durante la localización, relacionado con un caché distribuido. • http://mail-archives.apache.org/mod_mbox/hadoop-general/201411.mbox/%3CCALwhT97dOi04aC3VbekaB+zn2UAS_OZV2EAiP78GmjnMzfp2Ug%40mail.gmail.com%3E http://secunia.com/advisories/60079 http://secunia.com/advisories/60432 • CWE-59: Improper Link Resolution Before File Access ('Link Following') •

CVSS: 3.2EPSS: 0%CPEs: 23EXPL: 0

The RPC protocol implementation in Apache Hadoop 2.x before 2.0.6-alpha, 0.23.x before 0.23.9, and 1.x before 1.2.1, when the Kerberos security features are enabled, allows man-in-the-middle attackers to disable bidirectional authentication and obtain sensitive information by forcing a downgrade to simple authentication. La implementación del protocolo RPC en Apache Hadoop v2.x anterior a v2.0.6-alpha, v0.23.x anterior a v0.23.9, y v1.x anterior a v1.2.1, cuando las características de seguridad de Kerberos están habilitadas, permite a atacantes man in the middle deshabilitar la autenticación bidireccional y obtener información sensible forzando una desactualización a una autenticación simple. • http://rhn.redhat.com/errata/RHSA-2014-0037.html http://rhn.redhat.com/errata/RHSA-2014-0400.html http://seclists.org/fulldisclosure/2013/Aug/251 http://secunia.com/advisories/57915 https://www.cloudera.com/documentation/other/security-bulletins/topics/csb_topic_1.html https://access.redhat.com/security/cve/CVE-2013-2192 https://bugzilla.redhat.com/show_bug.cgi?id=1001326 • CWE-287: Improper Authentication •

CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0

DataNodes in Apache Hadoop 2.0.0 alpha does not check the BlockTokens of clients when Kerberos is enabled and the DataNode has checked out the same BlockPool twice from a NodeName, which might allow remote clients to read arbitrary blocks, write to blocks to which they only have read access, and have other unspecified impacts. DataNodes en Apache Hadoop v2.0.0 alpha comprueba la BlockTokens de los clientes cuando Kerberos está habilitado y el DataNode ha comproabado el mismo BlockPool dos veces desde NodeName, permitiendo a clientes remotos leer bloques arbitrarios, escribir en los bloques a los que sólo tiene acceso de lectura y tener otros efectos no especificados. • http://archives.neohapsis.com/archives/bugtraq/2012-07/0049.html http://www.securityfocus.com/bid/54358 https://www.cloudera.com/documentation/other/security-bulletins/topics/csb_topic_1.html • CWE-310: Cryptographic Issues •

CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1

Hadoop 1.0.3 contains a symlink vulnerability. Hadoop versión 1.0.3, contiene una vulnerabilidad de tipo symlink. Hadoop version 1.0.3 suffers from a local privilege escalation symlink vulnerability. • https://seclists.org/fulldisclosure/2012/Jul/3 https://security-tracker.debian.org/tracker/CVE-2012-2945 • CWE-59: Improper Link Resolution Before File Access ('Link Following') •

CVSS: 6.5EPSS: 0%CPEs: 13EXPL: 0

The Kerberos/MapReduce security functionality in Apache Hadoop 0.20.203.0 through 0.20.205.0, 0.23.x before 0.23.2, and 1.0.x before 1.0.2, as used in Cloudera CDH CDH3u0 through CDH3u2, Cloudera hadoop-0.20-sbin before 0.20.2+923.197, and other products, allows remote authenticated users to impersonate arbitrary cluster user accounts via unspecified vectors. La funcionalidad Kerberos/MapReduce en Apache Hadoop v0.20.203.0 a v0.20.205.0, v0.23.x antes de v0.23.2 y v1.0.x antes de v1.0.2, tal y como se utiliza en Cloudera CDH CDH3u0 a CDH3u2, Cloudera Hadoop-0.20-sbin antes de v0.20.2+923.197, y otros productos, permite hacerse pasar por usuarios de cluster de su elección a usuarios remotos autenticados a través de vectores no especificados. • http://archives.neohapsis.com/archives/bugtraq/2012-04/0051.html http://seclists.org/fulldisclosure/2012/Apr/70 http://secunia.com/advisories/48775 http://secunia.com/advisories/48776 http://www.securityfocus.com/bid/52939 https://ccp.cloudera.com/display/DOC/Cloudera+Security+Bulletin https://www.cloudera.com/documentation/other/security-bulletins/topics/csb_topic_1.html • CWE-310: Cryptographic Issues •