CVE-2014-3627Link Following in Apache Hadoop

CWE-59Link Following7 documents6 sources
Severity
5.0MEDIUMNVD
EPSS
1.6%
top 18.16%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Apache Hadoop
Timeline
PublishedDec 5
Latest updateMay 17

Description

The YARN NodeManager daemon in Apache Hadoop 0.23.0 through 0.23.11 and 2.x before 2.5.2, when using Kerberos authentication, allows remote cluster users to change the permissions of certain files to world-readable via a symlink attack in a public tar archive, which is not properly handled during localization, related to distributed cache.

CVSS vector

AV:N/AC:L/C:P/I:N/A:NExploitability: 10.0 | Impact: 2.9

Affected Packages1 packages

NVDapache/hadoop26 versions+25

🔴Vulnerability Details

3
OSV
Improper Link Resolution Before File Access in Apache Hadoop2022-05-17
GHSA
Improper Link Resolution Before File Access in Apache Hadoop2022-05-17
CVEList
CVE-2014-3627: The YARN NodeManager daemon in Apache Hadoop 02014-12-05

📋Vendor Advisories

1
Red Hat
hadoop: file disclosure flaw2014-11-21

💬Community

2
Bugzilla
CVE-2014-3627 hadoop: file disclosure flaw2014-12-04
Bugzilla
CVE-2014-3627 hadoop: file disclosure flaw [fedora-all]2014-12-04
CVE-2014-3627 — Link Following in Apache Hadoop | cvebase