Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS04OTVtLXd3NTUtNTl2d84AAZNT
Exposure of Sensitive Information to an Unauthorized Actor in Apache Hadoop
The YARN NodeManager in Apache Hadoop 2.6.x before 2.6.5 and 2.7.x before 2.7.3 can leak the password for credential store provider used by the NodeManager to YARN Applications.
Permalink: https://github.com/advisories/GHSA-895m-ww55-59vwJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS04OTVtLXd3NTUtNTl2d84AAZNT
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: over 2 years ago
Updated: over 1 year ago
CVSS Score: 9.8
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-895m-ww55-59vw, CVE-2016-3086
References:
- https://nvd.nist.gov/vuln/detail/CVE-2016-3086
- http://mail-archives.apache.org/mod_mbox/hadoop-general/201701.mbox/%3C0ed32746-5a53-9051-5877-2b1abd88beb6%40apache.org%3E
- http://www.securityfocus.com/bid/95335
- https://github.com/advisories/GHSA-895m-ww55-59vw
Affected Packages
maven:org.apache.hadoop:hadoop-yarn-server-nodemanager
Dependent packages: 100Dependent repositories: 2,013
Downloads:
Affected Version Ranges: >= 2.7.0, <= 2.7.2, >= 2.6.0, <= 2.6.4
Fixed in: 2.7.3, 2.6.5
All affected versions: 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4, 2.7.0, 2.7.1, 2.7.2
All unaffected versions: 0.23.1, 0.23.3, 0.23.4, 0.23.5, 0.23.6, 0.23.7, 0.23.8, 0.23.9, 0.23.10, 0.23.11, 2.2.0, 2.3.0, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.5.2, 2.6.5, 2.7.3, 2.7.4, 2.7.5, 2.7.6, 2.7.7, 2.8.0, 2.8.1, 2.8.2, 2.8.3, 2.8.4, 2.8.5, 2.9.0, 2.9.1, 2.9.2, 2.10.0, 2.10.1, 2.10.2, 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.1.4, 3.2.0, 3.2.1, 3.2.2, 3.2.3, 3.2.4, 3.3.0, 3.3.1, 3.3.2, 3.3.3, 3.3.4, 3.3.5, 3.3.6, 3.4.0