org.apache.hadoop:hadoop-main
Maven13 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting org.apache.hadoop:hadoop-mainpage 1 of 1
- CVE-2012-1574NONECVSS 0.0✓ Fixed in 1.0.22012-04-12
The Kerberos/MapReduce security functionality in Apache Hadoop 0.20.203.0 through 0.20.205.0, 0.23.x before 0.23.2, and 1.0.x before 1.0.2, as used in Cloudera CDH CDH3u0 through CDH3u2, Cloudera hadoop-0.20-sbin before 0.20.2+923.197, and…
- CVE-2012-2945HIGHCVSS 7.5EG 7.5✓ Fixed in 1.0.42019-10-29
vulnerable: 0.23.1 ... 0.23.9 (10 versions)
Hadoop 1.0.3 contains a symlink vulnerability.
- CVE-2017-15713MEDIUMCVSS 6.5✓ Fixed in 2.8.32018-01-19
vulnerable: 2.8.0, 2.8.1, 2.8.2
Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and 3.0.0-alpha through 3.0.0-beta1 allows a cluster user to expose private files owned by the user running the MapReduce job history server process. The maliciou…
- CVE-2017-15718CRITICALCVSS 9.8✓ Fixed in 2.7.52018-01-24
vulnerable: 2.7.3, 2.7.4
The YARN NodeManager in Apache Hadoop 2.7.3 and 2.7.4 can leak the password for credential store provider used by the NodeManager to YARN Applications.
- CVE-2017-3166HIGHCVSS 7.8EG 7.8✓ Fixed in 2.7.32017-11-13
vulnerable: 0.23.1 ... 2.7.2 (35 versions)
In Apache Hadoop versions 2.6.1 to 2.6.5, 2.7.0 to 2.7.3, and 3.0.0-alpha1, if a file in an encryption zone with access permissions that make it world readable is localized via YARN's localization mechanism, that file will be stored in a w…
- CVE-2018-11764HIGHCVSS 8.8EG 8.8✓ Fixed in 3.0.12020-10-21
vulnerable: 3.0.0
Web endpoint authentication check is broken in Apache Hadoop 3.0.0-alpha4, 3.0.0-beta1, and 3.0.0. Authenticated users may impersonate any user even if no proxy user is configured.
- CVE-2018-11765HIGHCVSS 7.5EG 7.5✓ Fixed in 2.8.62020-09-30
vulnerable: 2.8.0 ... 2.8.5 (6 versions)
In Apache Hadoop versions 3.0.0-alpha2 to 3.0.0, 2.9.0 to 2.9.2, 2.8.0 to 2.8.5, any users can access some servlets without authentication when Kerberos authentication is enabled and SPNEGO through HTTP is not enabled.
- CVE-2018-11766HIGHCVSS 8.8✓ Fixed in 2.7.72018-11-27
vulnerable: 2.7.4, 2.7.5, 2.7.6
In Apache Hadoop 2.7.4 to 2.7.6, the security fix for CVE-2016-6811 is incomplete. A user who can escalate to yarn user can possibly run arbitrary commands as root user.
- CVE-2018-11767HIGHCVSS 7.4✓ Fixed in 2.9.22019-03-21
vulnerable: 2.9.0, 2.9.1
In Apache Hadoop 2.9.0 to 2.9.1, 2.8.3 to 2.8.4, 2.7.5 to 2.7.6, KMS blocking users or granting access to users incorrectly, if the system uses non-default groups mapping mechanisms.
- CVE-2018-11768HIGHCVSS 7.5EG 7.5✓ Fixed in 3.1.12019-10-04
vulnerable: 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.1.0
In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.0-alpha to 2.8.4, the user/group information can be corrupted across storing in fsimage and reading back from fsimage.
- CVE-2018-1296HIGHCVSS 7.5✓ Fixed in 2.9.12019-02-07
vulnerable: 2.9.0
In Apache Hadoop 3.0.0-alpha1 to 3.0.0, 2.9.0, 2.8.0 to 2.8.3, and 2.5.0 to 2.7.5, HDFS exposes extended attribute key/value pairs during listXAttrs, verifying only path-level search access to the directory rather than path-level read perm…
- CVE-2018-8009HIGHCVSS 8.8✓ Fixed in 2.7.72018-11-13
vulnerable: 0.23.1 ... 2.7.6 (39 versions)
Apache Hadoop 3.1.0, 3.0.0-alpha to 3.0.2, 2.9.0 to 2.9.1, 2.8.0 to 2.8.4, 2.0.0-alpha to 2.7.6, 0.23.0 to 0.23.11 is exploitable via the zip slip vulnerability in places that accept a zip file.
- CVE-2018-8029HIGHCVSS 8.8✓ Fixed in 3.1.12019-05-30
vulnerable: 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.1.0
In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.8.4, a user who can escalate to yarn user can possibly run arbitrary commands as root user.
Check whether org.apache.hadoop:hadoop-main is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for org.apache.hadoop:hadoop-main CVEs against the assets you own.
Start Free Scan →