In Apache Hadoop versions 2.6.1 to 2.6.5, 2.7.0 to 2.7.3, and 3.0.0-alpha1, if a file in an encryption zone with access permissions that make it world readable is localized via YARN's localization mechanism, that file will be stored in a world-readable location and can be shared freely with any application that requests to localize that file.
CVSS Score
7.8
EPSS Score
0.002
Published
2017-11-13
The HDFS web UI in Apache Hadoop before 2.7.0 is vulnerable to a cross-site scripting (XSS) attack through an unescaped query parameter.
CVSS Score
6.1
EPSS Score
0.05
Published
2017-04-26
HDFS clients interact with a servlet on the DataNode to browse the HDFS namespace. The NameNode is provided as a query parameter that is not validated in Apache Hadoop before 2.7.0.
CVSS Score
7.3
EPSS Score
0.019
Published
2017-04-26
In Apache Hadoop 2.x before 2.7.4, a user who can escalate to yarn user can possibly run arbitrary commands as root user.
CVSS Score
8.8
EPSS Score
0.005
Published
2017-04-11
Page 2