CVE-2018-11765

CWE-287 — Improper Authentication CWE-200 — Information Exposure7 documents7 sources

Severity

7.5HIGH

EPSS

1.1%

top 21.53%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Hadoop

Timeline

PublishedSep 30

Latest updateApr 30

Description

In Apache Hadoop versions 3.0.0-alpha2 to 3.0.0, 2.9.0 to 2.9.2, 2.8.0 to 2.8.5, any users can access some servlets without authentication when Kerberos authentication is enabled and SPNEGO through HTTP is not enabled.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

▶Mavenorg.apache.hadoop:hadoop-main3.0.0-alpha2 — 3.0.1+2

▶NVDapache/hadoop2.8.0 — 2.8.5+2

▶CVEListV5apache_hadoopApache Hadoop 3.0.0-alpha2 to 3.0.0, 2.9.0 to 2.9.2, 2.8.0 to 2.8.5

🔴Vulnerability Details

OSV

Improper Authentication in Apache Hadoop↗2021-04-30

▶

GHSA

Improper Authentication in Apache Hadoop↗2021-04-30

▶

CVEList

CVE-2018-11765: In Apache Hadoop versions 3↗2020-09-30

▶

📋Vendor Advisories

Red Hat

hadoop: Potential information disclosure in Hadoop Web interfaces↗2020-09-28

▶

Apache

Apache hadoop: CVE-2018-11765↗

▶

💬Community

Bugzilla

CVE-2018-11765 hadoop: Potential information disclosure in Hadoop Web interfaces↗2020-09-29

▶