CVE-2018-11765 – org.apache.hadoop:hadoop-main

Package

Manager: maven
Name: org.apache.hadoop:hadoop-main
Vulnerable Version: >=3.0.0-alpha2 <3.0.1 || >=2.9.0 <2.9.3 || >=2.8.0 <2.8.6

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.01147 pctl0.77667

Details

Improper Authentication in Apache Hadoop In Apache Hadoop versions 3.0.0-alpha2 to 3.0.0, 2.9.0 to 2.9.2, 2.8.0 to 2.8.5, any users can access some servlets without authentication when Kerberos authentication is enabled and SPNEGO through HTTP is not enabled.

Metadata

Created: 2021-04-30T17:29:30Z
Modified: 2021-10-05T16:27:33Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-rhh9-cm65-3w54/GHSA-rhh9-cm65-3w54.json
CWE IDs: ["CWE-287"]
Alternative ID: GHSA-rhh9-cm65-3w54
Finding: F039
Auto approve: 1