CVSS: 3.5EPSS: 0%CPEs: 17EXPL: 0CVE-2013-6446
https://notcve.org/view.php?id=CVE-2013-6446
23 Mar 2017 — The JobHistory Server in Cloudera CDH 4.x before 4.6.0 and 5.x before 5.0.0 Beta 2, when using MRv2/YARN with HTTP authentication, allows remote authenticated users to obtain sensitive job information by leveraging failure to enforce job ACLs. El JobHistory Server en Cloudera CDH 4.x en versiones anteriores a 4.6.0 y 5.x en versiones anteriores a 5.0.0 Beta 2, cuando se utiliza MRv2/YARN con autenticación HTTP, permite a usuarios remotos autenticados obtener información de trabajo sensible aprovechando el f... • http://www.securityfocus.com/bid/97068 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 6.5EPSS: 0%CPEs: 25EXPL: 0CVE-2014-0229
https://notcve.org/view.php?id=CVE-2014-0229
23 Mar 2017 — Apache Hadoop 0.23.x before 0.23.11 and 2.x before 2.4.1, as used in Cloudera CDH 5.0.x before 5.0.2, do not check authorization for the (1) refreshNamenodes, (2) deleteBlockPool, and (3) shutdownDatanode HDFS admin commands, which allows remote authenticated users to cause a denial of service (DataNodes shutdown) or perform unnecessary operations by issuing a command. Apache Hadoop 0.23.x en versiones anteriores a 0.23.11 y 2.x en versiones anteriores a 2.4.1, como se utiliza en Cloudera CDH 5.0.x en versi... • https://www.cloudera.com/documentation/other/security-bulletins/topics/csb_topic_1.html#concept_i1q_xvk_2r • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2016-4946
https://notcve.org/view.php?id=CVE-2016-4946
07 Mar 2017 — Multiple cross-site scripting (XSS) vulnerabilities in Cloudera HUE 3.9.0 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) First name or (2) Last name field in the HUE Users page. Múltiples vulnerabilidades de XSS en Cloudera HUE 3.9.0 y versiones anteriores permiten a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través del campo (1) Nombre o (2) Apellido en la página de usuarios HUE. • http://2016.hack.lu/archive/2016/Wavestone%20-%20Hack.lu%202016%20-%20Hadoop%20safari%20-%20Hunting%20for%20vulnerabilities%20-%20v1.0.pdf • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2016-4947
https://notcve.org/view.php?id=CVE-2016-4947
07 Mar 2017 — Cloudera HUE 3.9.0 and earlier allows remote attackers to enumerate user accounts via a request to desktop/api/users/autocomplete. Cloudera HUE 3.9.0 y versiones anteriores permite a atacantes remotos enumerar cuentas de usuario a través de una petición a desktop/api/users/autocomplete. • http://2016.hack.lu/archive/2016/Wavestone%20-%20Hack.lu%202016%20-%20Hadoop%20safari%20-%20Hunting%20for%20vulnerabilities%20-%20v1.0.pdf • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2016-4948
https://notcve.org/view.php?id=CVE-2016-4948
07 Mar 2017 — Multiple cross-site scripting (XSS) vulnerabilities in Cloudera Manager 5.5 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) Template Name field when renaming a template; (2) KDC Server host, (3) Kerberos Security Realm, (4) Kerberos Encryption Types, (5) Advanced Configuration Snippet (Safety Valve) for [libdefaults] section of krb5.conf, (6) Advanced Configuration Snippet (Safety Valve) for the Default Realm in krb5.conf, (7) Advanced Configuration Snippet (Safety Valv... • http://2016.hack.lu/archive/2016/Wavestone%20-%20Hack.lu%202016%20-%20Hadoop%20safari%20-%20Hunting%20for%20vulnerabilities%20-%20v1.0.pdf • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2016-4949
https://notcve.org/view.php?id=CVE-2016-4949
07 Mar 2017 — Cloudera Manager 5.5 and earlier allows remote attackers to obtain sensitive information via a (1) stderr.log or (2) stdout.log value in the filename parameter to /cmf/process/<process_id>/logs. Cloudera Manager 5.5 y versiones anteriores permite a atacantes remotos obtener información sensible a través de un valor (1) stderr.log o (2) stdout.log en el parámetro filename para /cmf/process//logs. • http://2016.hack.lu/archive/2016/Wavestone%20-%20Hack.lu%202016%20-%20Hadoop%20safari%20-%20Hunting%20for%20vulnerabilities%20-%20v1.0.pdf • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2016-4950
https://notcve.org/view.php?id=CVE-2016-4950
07 Mar 2017 — Cloudera Manager 5.5 and earlier allows remote attackers to enumerate user sessions via a request to /api/v11/users/sessions. Cloudera Manager 5.5 y versiones anteriores permite a atacantes remotos enumerar sesiones de usuario a través de una solicitud a /api/v11/users/sessions. • http://2016.hack.lu/archive/2016/Wavestone%20-%20Hack.lu%202016%20-%20Hadoop%20safari%20-%20Hunting%20for%20vulnerabilities%20-%20v1.0.pdf • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2014-8733
https://notcve.org/view.php?id=CVE-2014-8733
10 Feb 2015 — Cloudera Manager 5.2.0, 5.2.1, and 5.3.0 stores the LDAP bind password in plaintext in unspecified world-readable files under /etc/hadoop, which allows local users to obtain this password. Cloudera Manager 5.2.0, 5.2.1, y 5.3.0 almacena la contraseña del enlace LDAP en texto plano en ficheros de lectura universal no especificados bajo /etc/hadoop, lo que permite a usuarios locales obtener esta contraseña. • http://www.cloudera.com/content/cloudera/en/documentation/security-bulletins/Security-Bulletin/csb_topic_2.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 4.3EPSS: 0%CPEs: 21EXPL: 0CVE-2014-0220 – Cloudera Manager 4.8.2 / 5.0.0 Information Disclosure
https://notcve.org/view.php?id=CVE-2014-0220
05 Jun 2014 — Cloudera Manager before 4.8.3 and 5.x before 5.0.1 allows remote authenticated users to obtain sensitive configuration information via the API. Cloudera Manager anterior a 4.8.3 y 5.x anterior a 5.0.1 permite a usuarios remotos autenticados obtener información sensible de configuraciones a través de la API. Cloudera Manager versions 4.8.2 and below and 5.0.0 suffer from a sensitive configuration value exposure. • http://packetstormsecurity.com/files/126956/Cloudera-Manager-4.8.2-5.0.0-Information-Disclosure.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.5EPSS: 0%CPEs: 13EXPL: 0CVE-2012-1574
https://notcve.org/view.php?id=CVE-2012-1574
12 Apr 2012 — The Kerberos/MapReduce security functionality in Apache Hadoop 0.20.203.0 through 0.20.205.0, 0.23.x before 0.23.2, and 1.0.x before 1.0.2, as used in Cloudera CDH CDH3u0 through CDH3u2, Cloudera hadoop-0.20-sbin before 0.20.2+923.197, and other products, allows remote authenticated users to impersonate arbitrary cluster user accounts via unspecified vectors. La funcionalidad Kerberos/MapReduce en Apache Hadoop v0.20.203.0 a v0.20.205.0, v0.23.x antes de v0.23.2 y v1.0.x antes de v1.0.2, tal y como se utili... • http://archives.neohapsis.com/archives/bugtraq/2012-04/0051.html • CWE-310: Cryptographic Issues •