Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS05cjdnLTMyNWgtbXhybc4AAbzh

Improper Authentication in Apache Hadoop

Apache Hadoop 0.23.x before 0.23.11 and 2.x before 2.4.1, as used in Cloudera CDH 5.0.x before 5.0.2, do not check authorization for the (1) refreshNamenodes, (2) deleteBlockPool, and (3) shutdownDatanode HDFS admin commands, which allows remote authenticated users to cause a denial of service (DataNodes shutdown) or perform unnecessary operations by issuing a command.

Permalink: https://github.com/advisories/GHSA-9r7g-325h-mxrm
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS05cjdnLTMyNWgtbXhybc4AAbzh
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: almost 2 years ago
Updated: about 1 year ago


CVSS Score: 6.5
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Identifiers: GHSA-9r7g-325h-mxrm, CVE-2014-0229
References:

Affected Packages

maven:org.apache.hadoop:hadoop-common
Dependent packages: 2,487
Dependent repositories: 22,274
Downloads:
Affected Version Ranges: >= 2.0.0, < 2.4.1, >= 0.23.0, < 0.23.11
Fixed in: 2.4.1, 0.23.11
All affected versions: 0.23.1, 0.23.3, 0.23.4, 0.23.5, 0.23.6, 0.23.7, 0.23.8, 0.23.9, 0.23.10, 2.2.0, 2.3.0, 2.4.0
All unaffected versions: 0.22.0, 0.23.11, 2.4.1, 2.5.0, 2.5.1, 2.5.2, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4, 2.6.5, 2.7.0, 2.7.1, 2.7.2, 2.7.3, 2.7.4, 2.7.5, 2.7.6, 2.7.7, 2.8.0, 2.8.1, 2.8.2, 2.8.3, 2.8.4, 2.8.5, 2.9.0, 2.9.1, 2.9.2, 2.10.0, 2.10.1, 2.10.2, 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.1.4, 3.2.0, 3.2.1, 3.2.2, 3.2.3, 3.2.4, 3.3.0, 3.3.1, 3.3.2, 3.3.3, 3.3.4, 3.3.5, 3.3.6