Skip to main content

Hadoop

24 CVEs product

Monthly

CVE-2025-27821 Maven HIGH PATCH This Week

Out-of-bounds Write vulnerability in Apache Hadoop HDFS native client. This issue affects Apache Hadoop: from 3.2.0 before 3.4.2. [CVSS 7.3 HIGH]

Apache Hadoop
NVD
CVSS 3.1
7.3
EPSS
0.1%
CVE-2024-23454 Maven MEDIUM PATCH This Month

Apache Hadoop’s RunJar.run() does not set permissions for temporary directory by default. Rated medium severity (CVSS 6.2), this vulnerability is no authentication required, low attack complexity.

Apache Information Disclosure Hadoop
NVD
CVSS 3.1
6.2
EPSS
0.4%
CVE-2023-26031 Maven HIGH PATCH This Week

Relative library resolution in linux container-executor binary in Apache Hadoop 3.3.1-3.3.4 on Linux allows local user to gain root privileges. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. No vendor patch available.

Privilege Escalation Apache Atlassian Hadoop
NVD
CVSS 3.1
7.5
EPSS
2.1%
CVE-2022-25168 Maven CRITICAL PATCH Act Now

Apache Hadoop's FileUtil.unTar(File, File) API does not escape the input file name before being passed to the shell. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Command Injection RCE Hadoop
NVD
CVSS 3.1
9.8
EPSS
3.4%
CVE-2022-26612 Maven CRITICAL POC PATCH Act Now

In Apache Hadoop, The unTar function uses unTarUsingJava function on Windows and the built-in tar utility on Unix and other OSes. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Apache Microsoft Hadoop
NVD
CVSS 3.1
9.8
EPSS
4.2%
CVE-2019-17195 Maven CRITICAL PATCH Act Now

Connect2id Nimbus JOSE+JWT before v7.9 can throw various uncaught exceptions while parsing a JWT, which could result in an application crash (potential information disclosure) or a potential. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Authentication Bypass Information Disclosure Nimbus Jose Jwt Hadoop Communications Cloud Native Core Security Edge Protection Proxy +12
NVD
CVSS 3.1
9.8
EPSS
11.0%
CVE-2018-11766 Maven HIGH PATCH This Week

In Apache Hadoop 2.7.4 to 2.7.6, the security fix for CVE-2016-6811 is incomplete. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation Apache Hadoop
NVD
CVSS 3.0
8.8
EPSS
3.2%
CVE-2018-8009 Maven HIGH POC PATCH This Week

Apache Hadoop 3.1.0, 3.0.0-alpha to 3.0.2, 2.9.0 to 2.9.1, 2.8.0 to 2.8.4, 2.0.0-alpha to 2.7.6, 0.23.0 to 0.23.11 is exploitable via the zip slip vulnerability in places that accept a zip file. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Apache Path Traversal Hadoop
NVD
CVSS 3.0
8.8
EPSS
7.6%
CVE-2017-3166 Maven HIGH PATCH This Week

In Apache Hadoop versions 2.6.1 to 2.6.5, 2.7.0 to 2.7.3, and 3.0.0-alpha1, if a file in an encryption zone with access permissions that make it world readable is localized via YARN's localization. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. This Incorrect Permission Assignment vulnerability could allow attackers to access resources due to misconfigured permissions.

Apache Information Disclosure Hadoop
NVD
CVSS 3.0
7.8
EPSS
0.2%
CVE-2012-4449 Maven CRITICAL PATCH Act Now

Apache Hadoop before 0.23.4, 1.x before 1.0.4, and 2.x before 2.0.2 generate token passwords using a 20-bit secret when Kerberos security features are enabled, which makes it easier for. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Apache Information Disclosure Hadoop
NVD
CVSS 3.0
9.8
EPSS
0.4%
CVE-2016-3086 Maven CRITICAL PATCH Act Now

The YARN NodeManager in Apache Hadoop 2.6.x before 2.6.5 and 2.7.x before 2.7.3 can leak the password for credential store provider used by the NodeManager to YARN Applications. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Apache Information Disclosure Hadoop
NVD
CVSS 3.0
9.8
EPSS
0.4%
CVE-2016-5001 Maven MEDIUM PATCH This Month

This is an information disclosure vulnerability in Apache Hadoop before 2.6.4 and 2.7.x before 2.7.2 in the short-circuit reads feature of HDFS. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Apache Information Disclosure Hadoop
NVD
CVSS 3.0
5.5
EPSS
0.1%
CVE-2017-7669 Maven HIGH PATCH This Week

In Apache Hadoop 2.8.0, 3.0.0-alpha1, and 3.0.0-alpha2, the LinuxContainerExecutor runs docker commands as root with insufficient input validation. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable.

Docker Apache Information Disclosure Hadoop
NVD
CVSS 3.0
7.5
EPSS
0.3%
CVE-2017-3162 Maven HIGH PATCH This Week

HDFS clients interact with a servlet on the DataNode to browse the HDFS namespace. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Apache Information Disclosure Hadoop
NVD
CVSS 3.0
7.3
EPSS
1.9%
CVE-2017-3161 Maven MEDIUM PATCH This Month

The HDFS web UI in Apache Hadoop before 2.7.0 is vulnerable to a cross-site scripting (XSS) attack through an unescaped query parameter. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

XSS Apache Hadoop
NVD
CVSS 3.0
6.1
EPSS
5.8%
CVE-2016-6811 Maven HIGH PATCH This Week

In Apache Hadoop 2.x before 2.7.4, a user who can escalate to yarn user can possibly run arbitrary commands as root user. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.

Apache Privilege Escalation Hadoop
NVD
CVSS 3.0
8.8
EPSS
0.5%
CVE-2014-0229 Maven MEDIUM PATCH This Month

Apache Hadoop 0.23.x before 0.23.11 and 2.x before 2.4.1, as used in Cloudera CDH 5.0.x before 5.0.2, do not check authorization for the (1) refreshNamenodes, (2) deleteBlockPool, and (3). Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity.

Denial Of Service Apache Privilege Escalation Cdh Hadoop
NVD
CVSS 3.0
6.5
EPSS
0.4%
CVE-2016-5393 Maven HIGH PATCH This Week

In Apache Hadoop 2.6.x before 2.6.5 and 2.7.x before 2.7.3, a remote user who can authenticate with the HDFS NameNode can possibly run arbitrary commands with the same privileges as the HDFS service. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.

Apache Authentication Bypass Hadoop
NVD
CVSS 3.0
8.8
EPSS
2.6%
CVE-2015-1776 Maven MEDIUM PATCH This Month

Apache Hadoop 2.6.x encrypts intermediate data generated by a MapReduce job and stores it along with the encryption key in a credentials file on disk when the Intermediate data encryption feature is. Rated medium severity (CVSS 6.2), this vulnerability is no authentication required, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Information Disclosure Apache Hadoop
NVD
CVSS 3.0
6.2
EPSS
0.1%
CVE-2015-7430 HIGH This Week

The Hadoop connector 1.1.1, 2.4, 2.5, and 2.7.0-0 before 2.7.0-3 for IBM Spectrum Scale and General Parallel File System (GPFS) allows local users to read or write to arbitrary GPFS data via. Rated high severity (CVSS 8.4), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

IBM Privilege Escalation Hadoop
NVD
CVSS 3.0
8.4
EPSS
0.0%
CVE-2014-3627 Maven MEDIUM PATCH This Month

The YARN NodeManager daemon in Apache Hadoop 0.23.0 through 0.23.11 and 2.x before 2.5.2, when using Kerberos authentication, allows remote cluster users to change the permissions of certain files to. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity.

Information Disclosure Apache Hadoop
NVD
CVSS 2.0
5.0
EPSS
1.6%
CVE-2013-2192 Maven LOW PATCH Monitor

The RPC protocol implementation in Apache Hadoop 2.x before 2.0.6-alpha, 0.23.x before 0.23.9, and 1.x before 1.2.1, when the Kerberos security features are enabled, allows man-in-the-middle. Rated low severity (CVSS 3.2). This Improper Authentication vulnerability could allow attackers to bypass authentication mechanisms to gain unauthorized access.

Apache Authentication Bypass Hadoop
NVD
CVSS 2.0
3.2
EPSS
0.1%
CVE-2012-3376 Maven HIGH PATCH This Week

DataNodes in Apache Hadoop 2.0.0 alpha does not check the BlockTokens of clients when Kerberos is enabled and the DataNode has checked out the same BlockPool twice from a NodeName, which might allow. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity.

Apache Information Disclosure Hadoop
NVD
CVSS 2.0
7.5
EPSS
1.0%
CVE-2012-1574 Maven MEDIUM PATCH This Month

The Kerberos/MapReduce security functionality in Apache Hadoop 0.20.203.0 through 0.20.205.0, 0.23.x before 0.23.2, and 1.0.x before 1.0.2, as used in Cloudera CDH CDH3u0 through CDH3u2, Cloudera. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity.

Apache Information Disclosure Hadoop Cloudera Cdh
NVD
CVSS 2.0
6.5
EPSS
0.5%
EPSS 0% CVSS 7.3
HIGH PATCH This Week

Out-of-bounds Write vulnerability in Apache Hadoop HDFS native client. This issue affects Apache Hadoop: from 3.2.0 before 3.4.2. [CVSS 7.3 HIGH]

Apache Hadoop
NVD
EPSS 0% CVSS 6.2
MEDIUM PATCH This Month

Apache Hadoop’s RunJar.run() does not set permissions for temporary directory by default. Rated medium severity (CVSS 6.2), this vulnerability is no authentication required, low attack complexity.

Apache Information Disclosure Hadoop
NVD
EPSS 2% CVSS 7.5
HIGH PATCH This Week

Relative library resolution in linux container-executor binary in Apache Hadoop 3.3.1-3.3.4 on Linux allows local user to gain root privileges. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. No vendor patch available.

Privilege Escalation Apache Atlassian +1
NVD
EPSS 3% CVSS 9.8
CRITICAL PATCH Act Now

Apache Hadoop's FileUtil.unTar(File, File) API does not escape the input file name before being passed to the shell. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Command Injection RCE +1
NVD
EPSS 4% CVSS 9.8
CRITICAL POC PATCH Act Now

In Apache Hadoop, The unTar function uses unTarUsingJava function on Windows and the built-in tar utility on Unix and other OSes. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Apache Microsoft +1
NVD
EPSS 11% CVSS 9.8
CRITICAL PATCH Act Now

Connect2id Nimbus JOSE+JWT before v7.9 can throw various uncaught exceptions while parsing a JWT, which could result in an application crash (potential information disclosure) or a potential. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Authentication Bypass Information Disclosure Nimbus Jose Jwt +14
NVD
EPSS 3% CVSS 8.8
HIGH PATCH This Week

In Apache Hadoop 2.7.4 to 2.7.6, the security fix for CVE-2016-6811 is incomplete. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation Apache Hadoop
NVD
EPSS 8% CVSS 8.8
HIGH POC PATCH This Week

Apache Hadoop 3.1.0, 3.0.0-alpha to 3.0.2, 2.9.0 to 2.9.1, 2.8.0 to 2.8.4, 2.0.0-alpha to 2.7.6, 0.23.0 to 0.23.11 is exploitable via the zip slip vulnerability in places that accept a zip file. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Apache Path Traversal Hadoop
NVD
EPSS 0% CVSS 7.8
HIGH PATCH This Week

In Apache Hadoop versions 2.6.1 to 2.6.5, 2.7.0 to 2.7.3, and 3.0.0-alpha1, if a file in an encryption zone with access permissions that make it world readable is localized via YARN's localization. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. This Incorrect Permission Assignment vulnerability could allow attackers to access resources due to misconfigured permissions.

Apache Information Disclosure Hadoop
NVD
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Apache Hadoop before 0.23.4, 1.x before 1.0.4, and 2.x before 2.0.2 generate token passwords using a 20-bit secret when Kerberos security features are enabled, which makes it easier for. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Apache Information Disclosure Hadoop
NVD
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

The YARN NodeManager in Apache Hadoop 2.6.x before 2.6.5 and 2.7.x before 2.7.3 can leak the password for credential store provider used by the NodeManager to YARN Applications. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Apache Information Disclosure Hadoop
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

This is an information disclosure vulnerability in Apache Hadoop before 2.6.4 and 2.7.x before 2.7.2 in the short-circuit reads feature of HDFS. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Apache Information Disclosure Hadoop
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

In Apache Hadoop 2.8.0, 3.0.0-alpha1, and 3.0.0-alpha2, the LinuxContainerExecutor runs docker commands as root with insufficient input validation. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable.

Docker Apache Information Disclosure +1
NVD
EPSS 2% CVSS 7.3
HIGH PATCH This Week

HDFS clients interact with a servlet on the DataNode to browse the HDFS namespace. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Apache Information Disclosure Hadoop
NVD
EPSS 6% CVSS 6.1
MEDIUM PATCH This Month

The HDFS web UI in Apache Hadoop before 2.7.0 is vulnerable to a cross-site scripting (XSS) attack through an unescaped query parameter. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

XSS Apache Hadoop
NVD
EPSS 1% CVSS 8.8
HIGH PATCH This Week

In Apache Hadoop 2.x before 2.7.4, a user who can escalate to yarn user can possibly run arbitrary commands as root user. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.

Apache Privilege Escalation Hadoop
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Apache Hadoop 0.23.x before 0.23.11 and 2.x before 2.4.1, as used in Cloudera CDH 5.0.x before 5.0.2, do not check authorization for the (1) refreshNamenodes, (2) deleteBlockPool, and (3). Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity.

Denial Of Service Apache Privilege Escalation +2
NVD
EPSS 3% CVSS 8.8
HIGH PATCH This Week

In Apache Hadoop 2.6.x before 2.6.5 and 2.7.x before 2.7.3, a remote user who can authenticate with the HDFS NameNode can possibly run arbitrary commands with the same privileges as the HDFS service. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.

Apache Authentication Bypass Hadoop
NVD
EPSS 0% CVSS 6.2
MEDIUM PATCH This Month

Apache Hadoop 2.6.x encrypts intermediate data generated by a MapReduce job and stores it along with the encryption key in a credentials file on disk when the Intermediate data encryption feature is. Rated medium severity (CVSS 6.2), this vulnerability is no authentication required, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Information Disclosure Apache Hadoop
NVD
EPSS 0% CVSS 8.4
HIGH This Week

The Hadoop connector 1.1.1, 2.4, 2.5, and 2.7.0-0 before 2.7.0-3 for IBM Spectrum Scale and General Parallel File System (GPFS) allows local users to read or write to arbitrary GPFS data via. Rated high severity (CVSS 8.4), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

IBM Privilege Escalation Hadoop
NVD
EPSS 2% CVSS 5.0
MEDIUM PATCH This Month

The YARN NodeManager daemon in Apache Hadoop 0.23.0 through 0.23.11 and 2.x before 2.5.2, when using Kerberos authentication, allows remote cluster users to change the permissions of certain files to. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity.

Information Disclosure Apache Hadoop
NVD
EPSS 0% CVSS 3.2
LOW PATCH Monitor

The RPC protocol implementation in Apache Hadoop 2.x before 2.0.6-alpha, 0.23.x before 0.23.9, and 1.x before 1.2.1, when the Kerberos security features are enabled, allows man-in-the-middle. Rated low severity (CVSS 3.2). This Improper Authentication vulnerability could allow attackers to bypass authentication mechanisms to gain unauthorized access.

Apache Authentication Bypass Hadoop
NVD
EPSS 1% CVSS 7.5
HIGH PATCH This Week

DataNodes in Apache Hadoop 2.0.0 alpha does not check the BlockTokens of clients when Kerberos is enabled and the DataNode has checked out the same BlockPool twice from a NodeName, which might allow. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity.

Apache Information Disclosure Hadoop
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

The Kerberos/MapReduce security functionality in Apache Hadoop 0.20.203.0 through 0.20.205.0, 0.23.x before 0.23.2, and 1.0.x before 1.0.2, as used in Cloudera CDH CDH3u0 through CDH3u2, Cloudera. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity.

Apache Information Disclosure Hadoop +1
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy