Search
Total
6 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-26612 | 2 Apache, Microsoft | 2 Hadoop, Windows | 2023-08-08 | 7.5 HIGH | 9.8 CRITICAL |
| In Apache Hadoop, The unTar function uses unTarUsingJava function on Windows and the built-in tar utility on Unix and other OSes. As a result, a TAR entry may create a symlink under the expected extraction directory which points to an external directory. A subsequent TAR entry may extract an arbitrary file into the external directory using the symlink name. This however would be caught by the same targetDirPath check on Unix because of the getCanonicalPath call. However on Windows, getCanonicalPath doesn't resolve symbolic links, which bypasses the check. unpackEntries during TAR extraction follows symbolic links which allows writing outside expected base directory on Windows. This was addressed in Apache Hadoop 3.2.3 | |||||
| CVE-2021-37404 | 1 Apache | 1 Hadoop | 2022-07-15 | 7.5 HIGH | 9.8 CRITICAL |
| There is a potential heap buffer overflow in Apache Hadoop libhdfs native code. Opening a file path provided by user without validation may result in a denial of service or arbitrary code execution. Users should upgrade to Apache Hadoop 2.10.2, 3.2.3, 3.3.2 or higher. | |||||
| CVE-2019-17195 | 3 Apache, Connect2id, Oracle | 15 Hadoop, Nimbus Jose\+jwt, Communications Cloud Native Core Security Edge Protection Proxy and 12 more | 2022-06-07 | 6.8 MEDIUM | 9.8 CRITICAL |
| Connect2id Nimbus JOSE+JWT before v7.9 can throw various uncaught exceptions while parsing a JWT, which could result in an application crash (potential information disclosure) or a potential authentication bypass. | |||||
| CVE-2017-15718 | 1 Apache | 1 Hadoop | 2019-10-03 | 5.0 MEDIUM | 9.8 CRITICAL |
| The YARN NodeManager in Apache Hadoop 2.7.3 and 2.7.4 can leak the password for credential store provider used by the NodeManager to YARN Applications. | |||||
| CVE-2012-4449 | 1 Apache | 1 Hadoop | 2017-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Apache Hadoop before 0.23.4, 1.x before 1.0.4, and 2.x before 2.0.2 generate token passwords using a 20-bit secret when Kerberos security features are enabled, which makes it easier for context-dependent attackers to crack secret keys via a brute-force attack. | |||||
| CVE-2016-3086 | 1 Apache | 1 Hadoop | 2017-09-11 | 5.0 MEDIUM | 9.8 CRITICAL |
| The YARN NodeManager in Apache Hadoop 2.6.x before 2.6.5 and 2.7.x before 2.7.3 can leak the password for credential store provider used by the NodeManager to YARN Applications. | |||||