CVE-2018-1296

CWE-200 — Information Exposure CWE-2857 documents7 sources

Severity

7.5HIGH

EPSS

0.6%

top 31.28%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Hadoop Apache Software Foundation Apache Hadoop

Timeline

PublishedFeb 7

Latest updateFeb 12

Description

In Apache Hadoop 3.0.0-alpha1 to 3.0.0, 2.9.0, 2.8.0 to 2.8.3, and 2.5.0 to 2.7.5, HDFS exposes extended attribute key/value pairs during listXAttrs, verifying only path-level search access to the directory rather than path-level read permission to the referent.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

▶Mavenorg.apache.hadoop:hadoop-main2.8.0 — 2.8.4+2

▶NVDapache/hadoop2.5.0 — 2.7.5+6

▶CVEListV5apache_software_foundation/apache_hadoopApache Hadoop 3.0.0-alpha1 to 3.0.0, 2.9.0, 2.8.0 to 2.8.3, 2.5.0 to 2.7.5

🔴Vulnerability Details

GHSA

Exposure of Sensitive Information to an Unauthorized Actor in Hadoop↗2019-02-12

▶

OSV

Exposure of Sensitive Information to an Unauthorized Actor in Hadoop↗2019-02-12

▶

CVEList

CVE-2018-1296: In Apache Hadoop 3↗2019-02-07

▶

📋Vendor Advisories

Red Hat

hadoop: HDFS Permissive listXAttr Authorization↗2019-01-24

▶

Apache

Apache hadoop: CVE-2018-1296↗

▶

💬Community

Bugzilla

CVE-2018-1296 hadoop: HDFS Permissive listXAttr Authorization↗2019-01-31

▶