CVE-2017-7669 – org.apache.hadoop:hadoop-common

Package

Manager: maven
Name: org.apache.hadoop:hadoop-common
Vulnerable Version: >=0 <2.8.1 || >=3.0.0-alpha1 <3.0.0-alpha3

Severity

Level: High

CVSS v3.1: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00298 pctl0.52656

Details

Apache Hadoop's LinuxContainerExecutor runs docker commands as root with insufficient input validation In Apache Hadoop 2.8.0, 3.0.0-alpha1, and 3.0.0-alpha2, the LinuxContainerExecutor runs docker commands as root with insufficient input validation. When the docker feature is enabled, authenticated users can run commands as root. This issue is fixed in versions 2.8.1 and 3.0.0-alpha3.

Metadata

Created: 2022-05-17T02:41:57Z
Modified: 2022-11-22T18:47:34Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-h24p-qwf4-84q8/GHSA-h24p-qwf4-84q8.json
CWE IDs: ["CWE-20"]
Alternative ID: GHSA-h24p-qwf4-84q8
Finding: F184
Auto approve: 1