CVE-2017-15718

CWE-200 — Information Exposure8 documents7 sources

Severity

9.8CRITICAL

EPSS

1.3%

top 20.01%

CISA KEV

Not in KEV

Exploit

Exploited in wild

Active exploitation observed

Affected products

Apache Software Foundation Apache Hadoop Apache Hadoop

Timeline

PublishedJan 24

Latest updateDec 21

Description

The YARN NodeManager in Apache Hadoop 2.7.3 and 2.7.4 can leak the password for credential store provider used by the NodeManager to YARN Applications.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages3 packages

▶Mavenorg.apache.hadoop:hadoop-main2.7.3 — 2.7.5

▶NVDapache/hadoop2.7.3, 2.7.4+1

▶CVEListV5apache_software_foundation/apache_hadoop2.7.3 to 2.7.4

🔴Vulnerability Details

GHSA

Exposure of Sensitive Information in Hadoop↗2018-12-21

▶

OSV

Exposure of Sensitive Information in Hadoop↗2018-12-21

▶

CVEList

CVE-2017-15718: The YARN NodeManager in Apache Hadoop 2↗2018-01-24

▶

VulnCheck

Apache Hadoop 2.7.3 and 2.7.4 YARN NodeManager Password Disclosure↗2017

▶

📋Vendor Advisories

Apache

Apache hadoop: CVE-2017-15718↗

▶

💬Community

Bugzilla

CVE-2017-15718 hadoop: YARN NodeManager can leak the password for the credential store provider [fedora-all]↗2018-01-29

▶

Bugzilla

CVE-2017-15718 hadoop: YARN NodeManager can leak the password for the credential store provider↗2018-01-29

▶