Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS1oMjRwLXF3ZjQtODRxOM4AAbhV

Apache Hadoop's LinuxContainerExecutor runs docker commands as root with insufficient input validation

In Apache Hadoop 2.8.0, 3.0.0-alpha1, and 3.0.0-alpha2, the LinuxContainerExecutor runs docker commands as root with insufficient input validation. When the docker feature is enabled, authenticated users can run commands as root. This issue is fixed in versions 2.8.1 and 3.0.0-alpha3.

Permalink: https://github.com/advisories/GHSA-h24p-qwf4-84q8
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1oMjRwLXF3ZjQtODRxOM4AAbhV
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: almost 2 years ago
Updated: about 1 year ago

CVSS Score: 7.5
CVSS vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Identifiers: GHSA-h24p-qwf4-84q8, CVE-2017-7669
References:

Blast Radius: 32.6

Affected Packages

maven:org.apache.hadoop:hadoop-common

Dependent packages: 2,487
Dependent repositories: 22,274
Downloads:
Affected Version Ranges: >= 3.0.0-alpha1, < 3.0.0-alpha3, < 2.8.1
Fixed in: 3.0.0-alpha3, 2.8.1
All affected versions: 0.22.0, 0.23.1, 0.23.3, 0.23.4, 0.23.5, 0.23.6, 0.23.7, 0.23.8, 0.23.9, 0.23.10, 0.23.11, 2.2.0, 2.3.0, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.5.2, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4, 2.6.5, 2.7.0, 2.7.1, 2.7.2, 2.7.3, 2.7.4, 2.7.5, 2.7.6, 2.7.7, 2.8.0, 3.0.0-alpha1, 3.0.0-alpha2
All unaffected versions: 2.8.1, 2.8.2, 2.8.3, 2.8.4, 2.8.5, 2.9.0, 2.9.1, 2.9.2, 2.10.0, 2.10.1, 2.10.2, 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.1.4, 3.2.0, 3.2.1, 3.2.2, 3.2.3, 3.2.4, 3.3.0, 3.3.1, 3.3.2, 3.3.3, 3.3.4, 3.3.5, 3.3.6, 3.4.0