GHSA-8r28-r8cp-g6cp

Source

https://github.com/advisories/GHSA-8r28-r8cp-g6cp

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-8r28-r8cp-g6cp/GHSA-8r28-r8cp-g6cp.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-8r28-r8cp-g6cp

Aliases

CVE-2016-5001

Published

2022-05-13T01:08:56Z

Modified

2023-11-08T03:58:30.347713Z

Severity

5.5 (Medium) CVSS_V3 - CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

Exposure of Sensitive Information to an Unauthorized Actor in Apache Hadoop

Details

This is an information disclosure vulnerability in Apache Hadoop before 2.6.4 and 2.7.x before 2.7.2 in the short-circuit reads feature of HDFS. A local user on an HDFS DataNode may be able to craft a block token that grants unauthorized read access to random files by guessing certain fields in the token.

Database specific

{
    "github_reviewed_at": "2022-07-06T19:43:24Z",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-200"
    ],
    "nvd_published_at": "2017-08-30T19:29:00Z",
    "severity": "MODERATE"
}

References

Affected packages

Maven / org.apache.hadoop:hadoop-common

Package

Name: org.apache.hadoop:hadoop-common; View open source insights on deps.dev
Purl: pkg:maven/org.apache.hadoop/hadoop-common

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.6.4

Affected versions

0.*

0.22.0

0.23.1

0.23.3

0.23.4

0.23.5

0.23.6

0.23.7

0.23.8

0.23.9

0.23.10

0.23.11

2.*

2.0.0-alpha

2.0.1-alpha

2.0.2-alpha

2.0.3-alpha

2.0.4-alpha

2.0.5-alpha

2.0.6-alpha

2.1.0-beta

2.1.1-beta

2.2.0

2.3.0

2.4.0

2.4.1

2.5.0

2.5.1

2.5.2

2.6.0

2.6.1

2.6.2

2.6.3

Database specific

last_known_affected_version_range

"<= 2.6.3"