CVE-2014-0229 – org.apache.hadoop:hadoop-common

Package

Manager: maven
Name: org.apache.hadoop:hadoop-common
Vulnerable Version: >=0.23.0 <0.23.11 || >=2.0.0 <2.4.1

Severity

Level: Medium

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

EPSS: 0.0037 pctl0.58049

Details

Improper Authentication in Apache Hadoop Apache Hadoop 0.23.x before 0.23.11 and 2.x before 2.4.1, as used in Cloudera CDH 5.0.x before 5.0.2, do not check authorization for the (1) refreshNamenodes, (2) deleteBlockPool, and (3) shutdownDatanode HDFS admin commands, which allows remote authenticated users to cause a denial of service (DataNodes shutdown) or perform unnecessary operations by issuing a command.

Metadata

Created: 2022-05-17T02:53:20Z
Modified: 2022-07-07T22:54:01Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-9r7g-325h-mxrm/GHSA-9r7g-325h-mxrm.json
CWE IDs: ["CWE-287"]
Alternative ID: GHSA-9r7g-325h-mxrm
Finding: F039
Auto approve: 1