Skip to main content

Hadoop CVE-2016-5393

HIGH
Improper Access Control (CWE-284)
2016-11-29 secalert@redhat.com
8.8
CVSS 3.0 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
CVE Published
Nov 29, 2016 - 06:59 cve.org
HIGH 8.8

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 820 maven packages depend on org.apache.hadoop:hadoop-common (331 direct, 495 indirect)

Ecosystem-wide dependent count for version 2.6.0.

DescriptionCVE.org

In Apache Hadoop 2.6.x before 2.6.5 and 2.7.x before 2.7.3, a remote user who can authenticate with the HDFS NameNode can possibly run arbitrary commands with the same privileges as the HDFS service.

AnalysisAI

In Apache Hadoop 2.6.x before 2.6.5 and 2.7.x before 2.7.3, a remote user who can authenticate with the HDFS NameNode can possibly run arbitrary commands with the same privileges as the HDFS service. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.

Technical ContextAI

This vulnerability is classified under CWE-284. In Apache Hadoop 2.6.x before 2.6.5 and 2.7.x before 2.7.3, a remote user who can authenticate with the HDFS NameNode can possibly run arbitrary commands with the same privileges as the HDFS service. Affected products include: Apache Hadoop. Version information: before 2.6.5.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

More in Hadoop

View all
CVE-2022-26612 CRITICAL POC
9.8 Apr 07

In Apache Hadoop, The unTar function uses unTarUsingJava function on Windows and the built-in tar utility on Unix and ot

CVE-2018-8009 HIGH POC
8.8 Nov 13

Apache Hadoop 3.1.0, 3.0.0-alpha to 3.0.2, 2.9.0 to 2.9.1, 2.8.0 to 2.8.4, 2.0.0-alpha to 2.7.6, 0.23.0 to 0.23.11 is ex

CVE-2016-3086 CRITICAL
9.8 Sep 05

The YARN NodeManager in Apache Hadoop 2.6.x before 2.6.5 and 2.7.x before 2.7.3 can leak the password for credential sto

CVE-2012-4449 CRITICAL
9.8 Oct 30

Apache Hadoop before 0.23.4, 1.x before 1.0.4, and 2.x before 2.0.2 generate token passwords using a 20-bit secret when

CVE-2022-25168 CRITICAL
9.8 Aug 04

Apache Hadoop's FileUtil.unTar(File, File) API does not escape the input file name before being passed to the shell. Rat

CVE-2019-17195 CRITICAL
9.8 Oct 15

Connect2id Nimbus JOSE+JWT before v7.9 can throw various uncaught exceptions while parsing a JWT, which could result in

CVE-2016-6811 HIGH
8.8 Apr 11

In Apache Hadoop 2.x before 2.7.4, a user who can escalate to yarn user can possibly run arbitrary commands as root user

CVE-2018-11766 HIGH
8.8 Nov 27

In Apache Hadoop 2.7.4 to 2.7.6, the security fix for CVE-2016-6811 is incomplete. Rated high severity (CVSS 8.8), this

CVE-2015-7430 HIGH
8.4 Jan 02

The Hadoop connector 1.1.1, 2.4, 2.5, and 2.7.0-0 before 2.7.0-3 for IBM Spectrum Scale and General Parallel File System

CVE-2017-3166 HIGH
7.8 Nov 13

In Apache Hadoop versions 2.6.1 to 2.6.5, 2.7.0 to 2.7.3, and 3.0.0-alpha1, if a file in an encryption zone with access

CVE-2012-3376 HIGH
7.5 Jul 12

DataNodes in Apache Hadoop 2.0.0 alpha does not check the BlockTokens of clients when Kerberos is enabled and the DataNo

CVE-2017-3162 HIGH
7.3 Apr 26

HDFS clients interact with a servlet on the DataNode to browse the HDFS namespace. Rated high severity (CVSS 7.3), this

Share

CVE-2016-5393 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy