Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1oMjRwLXF3ZjQtODRxOM4AAbhV
Apache Hadoop's LinuxContainerExecutor runs docker commands as root with insufficient input validation
In Apache Hadoop 2.8.0, 3.0.0-alpha1, and 3.0.0-alpha2, the LinuxContainerExecutor runs docker commands as root with insufficient input validation. When the docker feature is enabled, authenticated users can run commands as root. This issue is fixed in versions 2.8.1 and 3.0.0-alpha3.
Permalink: https://github.com/advisories/GHSA-h24p-qwf4-84q8JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1oMjRwLXF3ZjQtODRxOM4AAbhV
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: about 1 year ago
Updated: 4 months ago
CVSS Score: 7.5
CVSS vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-h24p-qwf4-84q8, CVE-2017-7669
References:
- https://nvd.nist.gov/vuln/detail/CVE-2017-7669
- https://mail-archives.apache.org/mod_mbox/hadoop-user/201706.mbox/%3C4A2FDA56-491B-4C2A-915F-C9D4A4BDB92A%40apache.org%3E
- http://www.securityfocus.com/bid/98795
- https://github.com/advisories/GHSA-h24p-qwf4-84q8
Affected Packages
maven:org.apache.hadoop:hadoop-common
Versions: >= 3.0.0-alpha1, < 3.0.0-alpha3, < 2.8.1Fixed in: 3.0.0-alpha3, 2.8.1