CVE-2021-33036

CWE-24 CWE-264 CWE-22 — Path Traversal CWE-502 — Deserialization of Untrusted Data6 documents6 sources

Severity

8.8HIGH

EPSS

2.1%

top 15.96%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Hadoop Apache Software Foundation Apache Hadoop

Timeline

PublishedJun 15

Latest updateJun 16

Description

In Apache Hadoop 2.2.0 to 2.10.1, 3.0.0-alpha1 to 3.1.4, 3.2.0 to 3.2.2, and 3.3.0 to 3.3.1, a user who can escalate to yarn user can possibly run arbitrary commands as root user. Users should upgrade to Apache Hadoop 2.10.2, 3.2.3, 3.3.2 or higher.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages3 packages

▶Mavenorg.apache.hadoop:hadoop-yarn-server-common2.2.0 — 2.10.2+2

▶NVDapache/hadoop2.2.0 — 2.10.2+3

▶CVEListV5apache_software_foundation/apache_hadoop2.2.0 to 2.10.1, 3.0.0-alpha1 to 3.1.4, 3.2.0 to 3.2.2, and 3.3.0 to 3.3.1

🔴Vulnerability Details

OSV

User account escalation in Apache Hadoop↗2022-06-16

▶

GHSA

User account escalation in Apache Hadoop↗2022-06-16

▶

CVEList

Apache Hadoop Privilege escalation vulnerability↗2022-06-15

▶

📋Vendor Advisories

Red Hat

hadoop: privilege escalation via yarn user↗2022-06-15

▶

Apache

Apache hadoop: CVE-2021-33036↗

▶