This is an information disclosure vulnerability in Apache Hadoop before 2.6.4 and 2.7.x before 2.7.2 in the short-circuit reads feature of HDFS. A local user on an HDFS DataNode may be able to craft a block token that grants unauthorized read access to random files by guessing certain fields in the token.
CVSS Score
5.5
EPSS Score
0.001
Published
2017-08-30
The HDFS web UI in Apache Hadoop before 2.7.0 is vulnerable to a cross-site scripting (XSS) attack through an unescaped query parameter.
CVSS Score
6.1
EPSS Score
0.05
Published
2017-04-26
HDFS clients interact with a servlet on the DataNode to browse the HDFS namespace. The NameNode is provided as a query parameter that is not validated in Apache Hadoop before 2.7.0.
CVSS Score
7.3
EPSS Score
0.019
Published
2017-04-26
In Apache Hadoop 2.x before 2.7.4, a user who can escalate to yarn user can possibly run arbitrary commands as root user.
CVSS Score
8.8
EPSS Score
0.005
Published
2017-04-11
Page 2