CVSS: 9.8EPSS: 0%CPEs: 4EXPL: 1CVE-2022-26612 – Arbitrary file write in FileUtil#unpackEntries on Windows
https://notcve.org/view.php?id=CVE-2022-26612
07 Apr 2022 — In Apache Hadoop, The unTar function uses unTarUsingJava function on Windows and the built-in tar utility on Unix and other OSes. As a result, a TAR entry may create a symlink under the expected extraction directory which points to an external directory. A subsequent TAR entry may extract an arbitrary file into the external directory using the symlink name. This however would be caught by the same targetDirPath check on Unix because of the getCanonicalPath call. However on Windows, getCanonicalPath doesn't ... • https://lists.apache.org/thread/hslo7wzw2449gv1jyjk8g6ttd7935fyz • CWE-59: Improper Link Resolution Before File Access ('Link Following') •
CVSS: 9.8EPSS: 0%CPEs: 8EXPL: 0CVE-2012-4449
https://notcve.org/view.php?id=CVE-2012-4449
30 Oct 2017 — Apache Hadoop before 0.23.4, 1.x before 1.0.4, and 2.x before 2.0.2 generate token passwords using a 20-bit secret when Kerberos security features are enabled, which makes it easier for context-dependent attackers to crack secret keys via a brute-force attack. Apache Hadoop en versiones anteriores a la 0.23.4, las versiones 1.x anteriores a la 1.0.4 y las versiones 2.x anteriores a la 2.0.2 genera contraseñas token empleando un secreto de 20 bits cuando las características de seguridad de Kerberos están hab... • http://mail-archives.apache.org/mod_mbox/hadoop-general/201210.mbox/%3CCA+z3+9FYdPmzBEaMZ71SUqzRx=eU=o4mSHUsbrpzgR9X_F1c0Q%40mail.gmail.com%3E • CWE-327: Use of a Broken or Risky Cryptographic Algorithm •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2016-5001
https://notcve.org/view.php?id=CVE-2016-5001
30 Aug 2017 — This is an information disclosure vulnerability in Apache Hadoop before 2.6.4 and 2.7.x before 2.7.2 in the short-circuit reads feature of HDFS. A local user on an HDFS DataNode may be able to craft a block token that grants unauthorized read access to random files by guessing certain fields in the token. Existe una vulnerabilidad de divulgación de información en Apache Hadoop en versiones anteriores a la 2.6.4 y en 2.7.x anteriores a la 2.7.2 en la característica short-circuit reads en HDFS. Un usuario loc... • http://seclists.org/oss-sec/2016/q4/698 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2017-3161
https://notcve.org/view.php?id=CVE-2017-3161
26 Apr 2017 — The HDFS web UI in Apache Hadoop before 2.7.0 is vulnerable to a cross-site scripting (XSS) attack through an unescaped query parameter. El interface web HDFS de Apache Hadoop anterior a 2.7.0 es vulnerable a un ataque cross-site scripting a través de un parámetro mal filtrado. • http://www.securityfocus.com/bid/98025 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2017-3162 – Apache Hadoop DataNode Missed Validation
https://notcve.org/view.php?id=CVE-2017-3162
26 Apr 2017 — HDFS clients interact with a servlet on the DataNode to browse the HDFS namespace. The NameNode is provided as a query parameter that is not validated in Apache Hadoop before 2.7.0. Vulnerabilidad en HDFS de Hadoop en versiones anteriores a la 2.7.0, a través de la cual clientes de HDFS podrían interactuar con un servlet en el DataNode para poder explorar el espacio de nombres HDFS. El NameNode se proporcionaría como un parámetro de consulta que no estaría validado en las versiones mencionadas de Apache Had... • http://www.securityfocus.com/bid/98017 • CWE-20: Improper Input Validation •
CVSS: 6.5EPSS: 0%CPEs: 13EXPL: 0CVE-2012-1574
https://notcve.org/view.php?id=CVE-2012-1574
12 Apr 2012 — The Kerberos/MapReduce security functionality in Apache Hadoop 0.20.203.0 through 0.20.205.0, 0.23.x before 0.23.2, and 1.0.x before 1.0.2, as used in Cloudera CDH CDH3u0 through CDH3u2, Cloudera hadoop-0.20-sbin before 0.20.2+923.197, and other products, allows remote authenticated users to impersonate arbitrary cluster user accounts via unspecified vectors. La funcionalidad Kerberos/MapReduce en Apache Hadoop v0.20.203.0 a v0.20.205.0, v0.23.x antes de v0.23.2 y v1.0.x antes de v1.0.2, tal y como se utili... • http://archives.neohapsis.com/archives/bugtraq/2012-04/0051.html • CWE-310: Cryptographic Issues •