CVE-2018-11764

CWE-306 — Missing Authentication CWE-287 — Improper Authentication7 documents7 sources

Severity

8.8HIGH

EPSS

0.2%

top 59.81%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Hadoop

Timeline

PublishedOct 21

Latest updateFeb 10

Description

Web endpoint authentication check is broken in Apache Hadoop 3.0.0-alpha4, 3.0.0-beta1, and 3.0.0. Authenticated users may impersonate any user even if no proxy user is configured.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages3 packages

▶Mavenorg.apache.hadoop:hadoop-main3.0.0-alpha4 — 3.0.1+2

▶CVEListV5apache_hadoopApache Hadoop 3.0.0-alpha4, 3.0.0-beta1, 3.0.0

▶NVDapache/hadoop3.0.0

🔴Vulnerability Details

GHSA

Authentication bypass in Apache Hadoop↗2022-02-10

▶

OSV

Authentication bypass in Apache Hadoop↗2022-02-10

▶

CVEList

CVE-2018-11764: Web endpoint authentication check is broken in Apache Hadoop 3↗2020-10-21

▶

📋Vendor Advisories

Red Hat

hadoop: privilege escalation in web endpoint↗2020-10-21

▶

Apache

Apache hadoop: CVE-2018-11764↗

▶

💬Community

Bugzilla

CVE-2018-11764 hadoop: privilege escalation in web endpoint↗2020-10-21

▶