GHSA-8r28-r8cp-g6cp

Suggest an improvement
Source
https://github.com/advisories/GHSA-8r28-r8cp-g6cp
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-8r28-r8cp-g6cp/GHSA-8r28-r8cp-g6cp.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-8r28-r8cp-g6cp
Aliases
Published
2022-05-13T01:08:56Z
Modified
2023-11-01T04:47:00.674117Z
Severity
  • 5.5 (Medium) CVSS_V3 - CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
Exposure of Sensitive Information to an Unauthorized Actor in Apache Hadoop
Details

This is an information disclosure vulnerability in Apache Hadoop before 2.6.4 and 2.7.x before 2.7.2 in the short-circuit reads feature of HDFS. A local user on an HDFS DataNode may be able to craft a block token that grants unauthorized read access to random files by guessing certain fields in the token.

Database specific
{
    "nvd_published_at": "2017-08-30T19:29:00Z",
    "github_reviewed_at": "2022-07-06T19:43:24Z",
    "severity": "MODERATE",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-200"
    ]
}
References

Affected packages

Maven / org.apache.hadoop:hadoop-common

Package

Name
org.apache.hadoop:hadoop-common
View open source insights on deps.dev
Purl
pkg:maven/org.apache.hadoop/hadoop-common

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.6.4

Affected versions

0.*

0.22.0
0.23.1
0.23.3
0.23.4
0.23.5
0.23.6
0.23.7
0.23.8
0.23.9
0.23.10
0.23.11

2.*

2.0.0-alpha
2.0.1-alpha
2.0.2-alpha
2.0.3-alpha
2.0.4-alpha
2.0.5-alpha
2.0.6-alpha
2.1.0-beta
2.1.1-beta
2.2.0
2.3.0
2.4.0
2.4.1
2.5.0
2.5.1
2.5.2
2.6.0
2.6.1
2.6.2
2.6.3

Database specific

{
    "last_known_affected_version_range": "<= 2.6.3"
}

Maven / org.apache.hadoop:hadoop-common

Package

Name
org.apache.hadoop:hadoop-common
View open source insights on deps.dev
Purl
pkg:maven/org.apache.hadoop/hadoop-common

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.7.0
Fixed
2.7.2

Affected versions

2.*

2.7.0
2.7.1

Database specific

{
    "last_known_affected_version_range": "<= 2.7.1"
}