1. Home
  2. Security Advisories
  3. Maven
  4. MAVEN:GHSA-RHH9-CM65-3W54

[MAVEN:GHSA-RHH9-CM65-3W54] Improper Authentication in Apache Hadoop

Severity High
Affected Packages 3
Fixed Packages 3
CVEs 1
Info Packages References Vulnerabilities

In Apache Hadoop versions 3.0.0-alpha2 to 3.0.0, 2.9.0 to 2.9.2, 2.8.0 to 2.8.5, any users can access some servlets without authentication when Kerberos authentication is enabled and SPNEGO through HTTP is not enabled.

Package Affected Version
pkg:maven/org.apache.hadoop/hadoop-main >= 2.8.0, <= 2.8.5
pkg:maven/org.apache.hadoop/hadoop-main >= 2.9.0, <= 2.9.2
pkg:maven/org.apache.hadoop/hadoop-main >= 3.0.0-alpha2, <= 3.0.0
Package Fixed Version
pkg:maven/org.apache.hadoop/hadoop-main = 2.8.6
pkg:maven/org.apache.hadoop/hadoop-main = 2.9.3
pkg:maven/org.apache.hadoop/hadoop-main = 3.0.1
ID
MAVEN:GHSA-RHH9-CM65-3W54
Severity
high
URL
https://github.com/advisories/GHSA-rhh9-cm65-3w54
Published
2021-04-30T17:29:30
(3 years ago)
Modified
2023-02-01T05:05:27
(19 months ago)
Rights
Maven Security Team
Source # ID Name URL
https://nvd.nist.gov/vuln/detail/CVE-2018-11765
https://lists.apache.org/thread.html/r17d94d132b207dad221595fd8b8b18628f5f5ec7e3f5be939ecd8928@%3Ccommits.druid.apache.org%3E
https://lists.apache.org/thread.html/r2c7f899911a04164ed1707083fcd4135f8427e04778c87d83509b0da%40%3Cgeneral.hadoop.apache.org%3E
https://lists.apache.org/thread.html/r46447f38ea8c89421614e9efd7de5e656186d35e10fc97cf88477a01@%3Ccommits.druid.apache.org%3E
https://lists.apache.org/thread.html/r4dddf1705dbedfa94392913b2dad1cd2d1d89040facd389eea0b3510@%3Ccommits.druid.apache.org%3E
https://lists.apache.org/thread.html/r74825601e93582167eb7cdc2f764c74c9c6d8006fa90018562fda60f@%3Ccommits.druid.apache.org%3E
https://lists.apache.org/thread.html/r79b15c5b66c6df175d01d7560adf0cd5c369129b9a161905e0339927@%3Ccommits.druid.apache.org%3E
https://lists.apache.org/thread.html/rb21df54a4e39732ce653d2aa5672e36a792b59eb6717f2a06bb8d02a@%3Ccommits.druid.apache.org%3E
https://lists.apache.org/thread.html/rb241464d83baa3749b08cd3dabc8dba70a9a9027edcef3b5d4c24ef4@%3Ccommits.druid.apache.org%3E
https://lists.apache.org/thread.html/rbe25cac0f499374f8ae17a4a44a8404927b56de28d4c41940d82b7a4@%3Ccommits.druid.apache.org%3E
https://lists.apache.org/thread.html/reea5eb8622afbfbfca46bc758f79db83d90a3263a906c4d1acba4971@%3Ccommits.druid.apache.org%3E
https://lists.apache.org/thread.html/rf9dfa8b77585c9227db9637552eebb2ab029255a0db4eb76c2b6c4cf@%3Cdev.druid.apache.org%3E
https://security.netapp.com/advisory/ntap-20201016-0005/
https://github.com/advisories/GHSA-rhh9-cm65-3w54
Type Package URL Namespace Name / Product Version Distribution / Platform Arch Patch / Fix
Affected pkg:maven/org.apache.hadoop/hadoop-main org.apache.hadoop hadoop-main >= 2.8.0 <= 2.8.5
Fixed pkg:maven/org.apache.hadoop/hadoop-main org.apache.hadoop hadoop-main = 2.8.6
Affected pkg:maven/org.apache.hadoop/hadoop-main org.apache.hadoop hadoop-main >= 2.9.0 <= 2.9.2
Fixed pkg:maven/org.apache.hadoop/hadoop-main org.apache.hadoop hadoop-main = 2.9.3
Affected pkg:maven/org.apache.hadoop/hadoop-main org.apache.hadoop hadoop-main >= 3.0.0-alpha2 <= 3.0.0
Fixed pkg:maven/org.apache.hadoop/hadoop-main org.apache.hadoop hadoop-main = 3.0.1
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories Exploits PoC Pubblication Date Modification Date
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories PoC Pubblication Date Modification Date