CVE-2018-11767

CWE-269 — Improper Privilege Management8 documents7 sources

Severity

7.4HIGH

EPSS

2.1%

top 16.02%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Hadoop

Timeline

PublishedMar 21

Latest updateApr 4

Description

In Apache Hadoop 2.9.0 to 2.9.1, 2.8.3 to 2.8.4, 2.7.5 to 2.7.6, KMS blocking users or granting access to users incorrectly, if the system uses non-default groups mapping mechanisms.

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:HExploitability: 2.2 | Impact: 5.2

Affected Packages3 packages

▶Mavenorg.apache.hadoop:hadoop-main2.7.5 — 2.7.7+2

▶NVDapache/hadoop2.7.5 — 2.7.6+2

▶CVEListV5apache_hadoopApache Hadoop 2.9.0 to 2.9.1, 2.8.3 to 2.8.4, 2.7.5 to 2.7.6

🔴Vulnerability Details

GHSA

Improper Privilege Management in org.apache.hadoop:hadoop-main↗2019-03-25

▶

OSV

Improper Privilege Management in org.apache.hadoop:hadoop-main↗2019-03-25

▶

CVEList

CVE-2018-11767: In Apache Hadoop 2↗2019-03-18

▶

📋Vendor Advisories

Red Hat

hadoop: Apache Hadoop KMS ACL regression↗2019-03-11

▶

Apache

Apache hadoop: CVE-2018-11767↗

▶

💬Community

Bugzilla

CVE-2018-11767 hadoop: Apache Hadoop KMS ACL regression↗2019-04-04

▶

Bugzilla

CVE-2018-11767 hadoop: Apache Hadoop KMS ACL regression [fedora-all]↗2019-04-04

▶