CVE-2017-3166

CWE-732 — Incorrect Permission Assignment7 documents6 sources

Severity

7.8HIGH

EPSS

0.2%

top 56.10%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Hadoop Apache Hadoop

Timeline

PublishedNov 13

Latest updateDec 21

Description

In Apache Hadoop versions 2.6.1 to 2.6.5, 2.7.0 to 2.7.3, and 3.0.0-alpha1, if a file in an encryption zone with access permissions that make it world readable is localized via YARN's localization mechanism, that file will be stored in a world-readable location and can be shared freely with any application that requests to localize that file.

CVSS vector

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages3 packages

▶Mavenorg.apache.hadoop:hadoop-main< 2.7.3

▶NVDapache/hadoop10 versions+9

▶CVEListV5apache_software_foundation/apache_hadoop2.6.1 to 2.6.5, 2.7.0 to 2.7.3, 3.0.0-alpha1 to 3.0.0-alpha3+2

🔴Vulnerability Details

GHSA

Moderate severity vulnerability that affects org.apache.hadoop:hadoop-main↗2018-12-21

▶

OSV

Moderate severity vulnerability that affects org.apache.hadoop:hadoop-main↗2018-12-21

▶

CVEList

CVE-2017-3166: In Apache Hadoop versions 2↗2017-11-13

▶

📋Vendor Advisories

Apache

Apache hadoop: CVE-2017-3166↗

▶

💬Community

Bugzilla

CVE-2017-3166 hadoop: Privilege escalation in YARN's localization mechanism [fedora-all]↗2017-11-22

▶

Bugzilla

CVE-2017-3166 hadoop: Privilege escalation in YARN's localization mechanism↗2017-11-22

▶