Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Hadoop
(Apache)| Repositories |
Unknown: This might be proprietary software. |
| #Vulnerabilities | 35 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2019-03-21 | CVE-2018-11767 | In Apache Hadoop 2.9.0 to 2.9.1, 2.8.3 to 2.8.4, 2.7.5 to 2.7.6, KMS blocking users or granting access to users incorrectly, if the system uses non-default groups mapping mechanisms. | Hadoop | 7.4 | ||
| 2019-05-30 | CVE-2018-8029 | In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.8.4, a user who can escalate to yarn user can possibly run arbitrary commands as root user. | Hadoop | 8.8 | ||
| 2019-10-04 | CVE-2018-11768 | In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.0-alpha to 2.8.4, the user/group information can be corrupted across storing in fsimage and reading back from fsimage. | Hadoop | 7.5 | ||
| 2019-10-15 | CVE-2019-17195 | Connect2id Nimbus JOSE+JWT before v7.9 can throw various uncaught exceptions while parsing a JWT, which could result in an application crash (potential information disclosure) or a potential authentication bypass. | Hadoop, Nimbus_jose\+jwt, Communications_cloud_native_core_security_edge_protection_proxy, Communications_pricing_design_center, Data_integrator, Enterprise_manager_base_platform, Healthcare_data_repository, Insurance_policy_administration, Jd_edwards_enterpriseone_orchestrator, Jd_edwards_enterpriseone_tools, Peoplesoft_enterprise_peopletools, Policy_automation, Primavera_gateway, Solaris_cluster, Weblogic_server | 9.8 | ||
| 2020-09-30 | CVE-2018-11765 | In Apache Hadoop versions 3.0.0-alpha2 to 3.0.0, 2.9.0 to 2.9.2, 2.8.0 to 2.8.5, any users can access some servlets without authentication when Kerberos authentication is enabled and SPNEGO through HTTP is not enabled. | Hadoop | 7.5 | ||
| 2020-10-21 | CVE-2018-11764 | Web endpoint authentication check is broken in Apache Hadoop 3.0.0-alpha4, 3.0.0-beta1, and 3.0.0. Authenticated users may impersonate any user even if no proxy user is configured. | Hadoop | 8.8 | ||
| 2019-10-29 | CVE-2012-2945 | Hadoop 1.0.3 contains a symlink vulnerability. | Hadoop | N/A | ||
| 2017-06-04 | CVE-2017-7669 | In Apache Hadoop 2.8.0, 3.0.0-alpha1, and 3.0.0-alpha2, the LinuxContainerExecutor runs docker commands as root with insufficient input validation. When the docker feature is enabled, authenticated users can run commands as root. | Hadoop | 7.5 | ||
| 2016-11-29 | CVE-2016-5393 | In Apache Hadoop 2.6.x before 2.6.5 and 2.7.x before 2.7.3, a remote user who can authenticate with the HDFS NameNode can possibly run arbitrary commands with the same privileges as the HDFS service. | Hadoop | 8.8 | ||
| 2017-09-05 | CVE-2016-3086 | The YARN NodeManager in Apache Hadoop 2.6.x before 2.6.5 and 2.7.x before 2.7.3 can leak the password for credential store provider used by the NodeManager to YARN Applications. | Hadoop | 9.8 |