CVE-2014-3627 – org.apache.hadoop:hadoop-client

Package

Manager: maven
Name: org.apache.hadoop:hadoop-client
Vulnerable Version: >=0.23.0 <1.0.1 || >=2.0.0 <2.5.2

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.01303 pctl0.78975

Details

Improper Link Resolution Before File Access in Apache Hadoop The YARN NodeManager daemon in Apache Hadoop 0.23.0 through 0.23.11 and 2.x before 2.5.2, when using Kerberos authentication, allows remote cluster users to change the permissions of certain files to world-readable via a symlink attack in a public tar archive, which is not properly handled during localization, related to distributed cache.

Metadata

Created: 2022-05-17T04:20:31Z
Modified: 2022-07-07T22:33:19Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-jpmf-8cj2-595g/GHSA-jpmf-8cj2-595g.json
CWE IDs: ["CWE-59"]
Alternative ID: GHSA-jpmf-8cj2-595g
Finding: F076
Auto approve: 1