CVE-2016-3086

CWE-200 — Information Exposure7 documents6 sources

Severity

9.8CRITICAL

EPSS

0.4%

top 37.53%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Hadoop Apache Hadoop

Timeline

PublishedSep 5

Latest updateMay 17

Description

The YARN NodeManager in Apache Hadoop 2.6.x before 2.6.5 and 2.7.x before 2.7.3 can leak the password for credential store provider used by the NodeManager to YARN Applications.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages3 packages

▶Mavenorg.apache.hadoop:hadoop-yarn-server-nodemanager2.6.0 — 2.6.5+1

▶NVDapache/hadoop8 versions+7

▶CVEListV5apache_software_foundation/apache_hadoop2.6.0 to 2.6.4, 2.7.0 to 2.7.2+1

🔴Vulnerability Details

GHSA

Exposure of Sensitive Information to an Unauthorized Actor in Apache Hadoop↗2022-05-17

▶

OSV

Exposure of Sensitive Information to an Unauthorized Actor in Apache Hadoop↗2022-05-17

▶

CVEList

CVE-2016-3086: The YARN NodeManager in Apache Hadoop 2↗2017-09-05

▶

📋Vendor Advisories

Apache

Apache hadoop: CVE-2017-15718↗

▶

💬Community

Bugzilla

CVE-2016-3086 hadoop: YARN NodeManager vulnerability [fedora-25]↗2017-09-06

▶

Bugzilla

CVE-2016-3086 hadoop: YARN NodeManager vulnerability↗2017-09-06

▶