Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS1oMjRwLXF3ZjQtODRxOM4AAbhV

Apache Hadoop's LinuxContainerExecutor runs docker commands as root with insufficient input validation

In Apache Hadoop 2.8.0, 3.0.0-alpha1, and 3.0.0-alpha2, the LinuxContainerExecutor runs docker commands as root with insufficient input validation. When the docker feature is enabled, authenticated users can run commands as root. This issue is fixed in versions 2.8.1 and 3.0.0-alpha3.

Permalink: https://github.com/advisories/GHSA-h24p-qwf4-84q8
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1oMjRwLXF3ZjQtODRxOM4AAbhV
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: about 1 year ago
Updated: 4 months ago


CVSS Score: 7.5
CVSS vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Identifiers: GHSA-h24p-qwf4-84q8, CVE-2017-7669
References:

Affected Packages

maven:org.apache.hadoop:hadoop-common
Versions: >= 3.0.0-alpha1, < 3.0.0-alpha3, < 2.8.1
Fixed in: 3.0.0-alpha3, 2.8.1