CVE-2020-9492 — Incorrect Authorization in Apache Hadoop

CWE-863 — Incorrect Authorization CWE-269 — Improper Privilege Management8 documents7 sources

Severity

8.8HIGHNVD

EPSS

0.1%

top 65.32%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Hadoop Apache Software Foundation Apache Hadoop Apache Solr +1 more

Timeline

PublishedJan 26

Latest updateOct 15

Description

In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.0, WebHDFS client might send SPNEGO authorization header to remote URL without proper verification.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages4 packages

▶NVDapache/hadoop2.0.0 — 2.10.0+2

▶CVEListV5apache_software_foundation/apache_hadoopApache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, 2.0.0-alpha to 2.10.0

▶NVDapache/solr8.6.0, 8.6.2+1

▶NVDoracle/financial_services_crime_and_compliance_management_studio8.0.8.2.0, 8.0.8.3.0+1

Patches

Patch: www.oracle.com ↗Patch: www.oracle.com ↗

🔴Vulnerability Details

OSV

Improper Privilege Management in Apache Hadoop↗2022-02-09

▶

GHSA

Improper Privilege Management in Apache Hadoop↗2022-02-09

▶

CVEList

CVE-2020-9492: In Apache Hadoop 3↗2021-01-26

▶

📋Vendor Advisories

Oracle

Oracle Oracle Construction and Engineering Risk Matrix: Document Management (Apache Solr) — CVE-2020-9492↗2022-10-15

▶

Oracle

Oracle Oracle Financial Services Applications Risk Matrix: Studio (Apache Hadoop) — CVE-2020-9492↗2022-07-15

▶

Red Hat

hadoop: WebHDFS client might send SPNEGO authorization header↗2021-01-26

▶

Apache

Apache hadoop: CVE-2020-9492↗

▶