GHSA-jpmf-8cj2-595g

Source

https://github.com/advisories/GHSA-jpmf-8cj2-595g

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-jpmf-8cj2-595g/GHSA-jpmf-8cj2-595g.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-jpmf-8cj2-595g

Aliases

CVE-2014-3627

Published

2022-05-17T04:20:31Z

Modified

2024-12-07T05:28:22.082035Z

Summary

Improper Link Resolution Before File Access in Apache Hadoop

Details

The YARN NodeManager daemon in Apache Hadoop 0.23.0 through 0.23.11 and 2.x before 2.5.2, when using Kerberos authentication, allows remote cluster users to change the permissions of certain files to world-readable via a symlink attack in a public tar archive, which is not properly handled during localization, related to distributed cache.

Database specific

{
    "nvd_published_at": "2014-12-05T16:59:00Z",
    "cwe_ids": [
        "CWE-59"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2022-07-07T22:33:19Z"
}

References

Affected packages

Maven / org.apache.hadoop:hadoop-client

Package

Name: org.apache.hadoop:hadoop-client; View open source insights on deps.dev
Purl: pkg:maven/org.apache.hadoop/hadoop-client

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0.23.0

Fixed

1.0.1

Affected versions

0.*

0.23.1

0.23.3

0.23.4

0.23.5

0.23.6

0.23.7

0.23.8

0.23.9

0.23.10

0.23.11

Maven / org.apache.hadoop:hadoop-client

Package

Name: org.apache.hadoop:hadoop-client; View open source insights on deps.dev
Purl: pkg:maven/org.apache.hadoop/hadoop-client

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.0.0

Fixed

2.5.2

Affected versions

2.*

2.0.1-alpha

2.0.2-alpha

2.0.3-alpha

2.0.4-alpha

2.0.5-alpha

2.0.6-alpha

2.1.0-beta

2.1.1-beta

2.2.0

2.3.0

2.4.0

2.4.1

2.5.0

2.5.1