PT-2020-8521 · Apache · Apache Hadoop

Daryn Sharp

Published

2020-10-21

Updated

2022-06-03

CVE-2018-11764

CVSS v2.0

9.0

High

Vector

AV:N/AC:L/Au:S/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions: Apache Hadoop versions 3.0.0-alpha4 through 3.0.0

Description: The web endpoint authentication check in Apache Hadoop is broken, allowing authenticated users to impersonate any user, even if no proxy user is configured.

Recommendations: For Apache Hadoop versions 3.0.0-alpha4 through 3.0.0, consider restricting access to the web endpoint until a fix is available. As a temporary workaround, review and limit user permissions to minimize the risk of impersonation.

Fix

Missing Authentication

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-306

Related Identifiers

CVE-2018-11764

GHSA-4FH8-PM7G-PMXQ

Affected Products

Apache Hadoop

PT-2020-8521 · Apache · Apache Hadoop

CVE-2018-11764

Weakness Enumeration

Related Identifiers

Affected Products

References · 5