CVE-2018-1296

In Apache Hadoop 3.0.0-alpha1 to 3.0.0, 2.9.0, 2.8.0 to 2.8.3, and 2.5.0 to 2.7.5, HDFS exposes extended attribute key/value pairs during listXAttrs, verifying only path-level search access to the directory rather than path-level read permission to the referent.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
apacheCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 72%
VendorProductVersion
apachehadoop
2.5.0 ≤
𝑥
≤ 2.7.5
apachehadoop
2.8.0
apachehadoop
2.8.1
apachehadoop
2.8.2
apachehadoop
2.8.3
apachehadoop
2.9.0
apachehadoop
3.0.0
apachehadoop
3.0.0:alpha1
apachehadoop
3.0.0:alpha2
apachehadoop
3.0.0:alpha3
apachehadoop
3.0.0:alpha4
apachehadoop
3.0.0:beta1
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
http://www.securityfocus.com/bid/106764
https://lists.apache.org/thread.html/a5b15bc76fbdad2ee40761aacf954a13aeef67e305f86d483f267e8e%40%3Cuser.hadoop.apache.org%3E
http://www.securityfocus.com/bid/106764
https://lists.apache.org/thread.html/a5b15bc76fbdad2ee40761aacf954a13aeef67e305f86d483f267e8e%40%3Cuser.hadoop.apache.org%3E