Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS05cjdnLTMyNWgtbXhybc4AAbzh
Improper Authentication in Apache Hadoop
Apache Hadoop 0.23.x before 0.23.11 and 2.x before 2.4.1, as used in Cloudera CDH 5.0.x before 5.0.2, do not check authorization for the (1) refreshNamenodes, (2) deleteBlockPool, and (3) shutdownDatanode HDFS admin commands, which allows remote authenticated users to cause a denial of service (DataNodes shutdown) or perform unnecessary operations by issuing a command.
Permalink: https://github.com/advisories/GHSA-9r7g-325h-mxrmJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS05cjdnLTMyNWgtbXhybc4AAbzh
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: almost 2 years ago
Updated: about 1 year ago
CVSS Score: 6.5
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Identifiers: GHSA-9r7g-325h-mxrm, CVE-2014-0229
References:
- https://nvd.nist.gov/vuln/detail/CVE-2014-0229
- https://www.cloudera.com/documentation/other/security-bulletins/topics/csb_topic_1.html#concept_i1q_xvk_2r
- https://github.com/advisories/GHSA-9r7g-325h-mxrm
Affected Packages
maven:org.apache.hadoop:hadoop-common
Dependent packages: 2,487Dependent repositories: 22,274
Downloads:
Affected Version Ranges: >= 2.0.0, < 2.4.1, >= 0.23.0, < 0.23.11
Fixed in: 2.4.1, 0.23.11
All affected versions: 0.23.1, 0.23.3, 0.23.4, 0.23.5, 0.23.6, 0.23.7, 0.23.8, 0.23.9, 0.23.10, 2.2.0, 2.3.0, 2.4.0
All unaffected versions: 0.22.0, 0.23.11, 2.4.1, 2.5.0, 2.5.1, 2.5.2, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4, 2.6.5, 2.7.0, 2.7.1, 2.7.2, 2.7.3, 2.7.4, 2.7.5, 2.7.6, 2.7.7, 2.8.0, 2.8.1, 2.8.2, 2.8.3, 2.8.4, 2.8.5, 2.9.0, 2.9.1, 2.9.2, 2.10.0, 2.10.1, 2.10.2, 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.1.4, 3.2.0, 3.2.1, 3.2.2, 3.2.3, 3.2.4, 3.3.0, 3.3.1, 3.3.2, 3.3.3, 3.3.4, 3.3.5, 3.3.6