CVE-2016-5001

CWE-200 — Information Exposure6 documents5 sources

Severity

5.5MEDIUM

EPSS

0.1%

top 69.36%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Hadoop Apache Software Foundation Apache Hadoop

Timeline

PublishedAug 30

Latest updateMay 13

Description

This is an information disclosure vulnerability in Apache Hadoop before 2.6.4 and 2.7.x before 2.7.2 in the short-circuit reads feature of HDFS. A local user on an HDFS DataNode may be able to craft a block token that grants unauthorized read access to random files by guessing certain fields in the token.

CVSS vector

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 1.8 | Impact: 3.6

Affected Packages3 packages

▶Mavenorg.apache.hadoop:hadoop-common2.7.0 — 2.7.2+1

▶NVDapache/hadoop2.6.3+2

▶CVEListV5apache_software_foundation/apache_hadoop2.1.0 to 2.6.3, 2.7.0 to 2.7.1+1

🔴Vulnerability Details

OSV

Exposure of Sensitive Information to an Unauthorized Actor in Apache Hadoop↗2022-05-13

▶

GHSA

Exposure of Sensitive Information to an Unauthorized Actor in Apache Hadoop↗2022-05-13

▶

CVEList

CVE-2016-5001: This is an information disclosure vulnerability in Apache Hadoop before 2↗2017-08-30

▶

💬Community

Bugzilla

CVE-2016-5001 hadoop: Information disclosure [fedora-all]↗2016-12-19

▶

Bugzilla

CVE-2016-5001 hadoop: Information disclosure↗2016-12-19

▶