CVE-2021-25642

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2021-25642

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-25642.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2021-25642

Aliases

GHSA-rr2m-gffv-mgrj

Published

2022-08-25T14:15:09Z

Modified

2024-09-02T22:12:06Z

Severity

8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

ZKConfigurationStore which is optionally used by CapacityScheduler of Apache Hadoop YARN deserializes data obtained from ZooKeeper without validation. An attacker having access to ZooKeeper can run arbitrary commands as YARN user by exploiting this. Users should upgrade to Apache Hadoop 2.10.2, 3.2.4, 3.3.4 or later (containing YARN-11126) if ZKConfigurationStore is used.

References

Affected packages

Git / github.com/apache/hadoop

Affected ranges

Type: GIT
Repo: https://github.com/apache/hadoop
Events: Introduced

756ebc8394e473ac25feac05fa493f6d612e6c50

Fixed

965fd380006fa78b2315668fbc7eb432e1d8200f