GHSA-rr2m-gffv-mgrj

Source

https://github.com/advisories/GHSA-rr2m-gffv-mgrj

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/08/GHSA-rr2m-gffv-mgrj/GHSA-rr2m-gffv-mgrj.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-rr2m-gffv-mgrj

Aliases

CVE-2021-25642

Published

2022-08-26T00:03:33Z

Modified

2024-02-22T05:43:15.326359Z

Severity

8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

Deserialization of Untrusted Data in Apache Hadoop YARN

Details

ZKConfigurationStore which is optionally used by CapacityScheduler of Apache Hadoop YARN deserializes data obtained from ZooKeeper without validation. An attacker having access to ZooKeeper can run arbitrary commands as YARN user by exploiting this. Users should upgrade to Apache Hadoop 2.10.2, 3.2.4, 3.3.4 or later (containing YARN-11126) if ZKConfigurationStore is used.

Database specific

{
    "nvd_published_at": "2022-08-25T14:15:00Z",
    "cwe_ids": [
        "CWE-502"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2022-08-30T20:55:27Z"
}

References

Affected packages

Maven / org.apache.hadoop:hadoop-yarn-server

Package

Name: org.apache.hadoop:hadoop-yarn-server; View open source insights on deps.dev
Purl: pkg:maven/org.apache.hadoop/hadoop-yarn-server

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.10.2

Affected versions

0.*

0.23.1

0.23.3

0.23.4

0.23.5

0.23.6

0.23.7

0.23.8

0.23.9

0.23.10

0.23.11

2.*

2.0.0-alpha

2.0.1-alpha

2.0.2-alpha

2.0.3-alpha

2.0.4-alpha

2.0.5-alpha

2.0.6-alpha

2.1.0-beta

2.1.1-beta

2.2.0

2.3.0

2.4.0

2.4.1

2.5.0

2.5.1

2.5.2

2.6.0

2.6.1

2.6.2

2.6.3

2.6.4

2.6.5

2.7.0

2.7.1

2.7.2

2.7.3

2.7.4

2.7.5

2.7.6

2.7.7

2.8.0

2.8.1

2.8.2

2.8.3

2.8.4

2.8.5

2.9.0

2.9.1

2.9.2

2.10.0

2.10.1

Maven / org.apache.hadoop:hadoop-yarn-server

Package

Name: org.apache.hadoop:hadoop-yarn-server; View open source insights on deps.dev
Purl: pkg:maven/org.apache.hadoop/hadoop-yarn-server

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.0.0

Fixed

3.2.4

Affected versions

3.*

3.0.0

3.0.1

3.0.2

3.0.3

3.1.0

3.1.1

3.1.2

3.1.3

3.1.4

3.2.0

3.2.1

3.2.2

3.2.3

Maven / org.apache.hadoop:hadoop-yarn-server

Package

Name: org.apache.hadoop:hadoop-yarn-server; View open source insights on deps.dev
Purl: pkg:maven/org.apache.hadoop/hadoop-yarn-server

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.3.0

Fixed

3.3.4

Affected versions

3.*

3.3.0

3.3.1

3.3.2

3.3.3