CVE-2016-5001 – org.apache.hadoop:hadoop-common

Package

Manager: maven
Name: org.apache.hadoop:hadoop-common
Vulnerable Version: >=0 <2.6.4 || >=2.7.0 <2.7.2

Severity

Level: Medium

CVSS v3.1: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00135 pctl0.34

Details

Exposure of Sensitive Information to an Unauthorized Actor in Apache Hadoop This is an information disclosure vulnerability in Apache Hadoop before 2.6.4 and 2.7.x before 2.7.2 in the short-circuit reads feature of HDFS. A local user on an HDFS DataNode may be able to craft a block token that grants unauthorized read access to random files by guessing certain fields in the token.

Metadata

Created: 2022-05-13T01:08:56Z
Modified: 2022-07-06T19:43:24Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-8r28-r8cp-g6cp/GHSA-8r28-r8cp-g6cp.json
CWE IDs: ["CWE-200"]
Alternative ID: GHSA-8r28-r8cp-g6cp
Finding: F038
Auto approve: 1