CVE-2021-37404

CWE-787 — Out-of-bounds Write CWE-131 CWE-120 — Classic Buffer Overflow6 documents6 sources

Severity

9.8CRITICAL

EPSS

1.1%

top 22.26%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Hadoop Apache Software Foundation Apache Hadoop

Timeline

PublishedJun 13

Latest updateJun 14

Description

There is a potential heap buffer overflow in Apache Hadoop libhdfs native code. Opening a file path provided by user without validation may result in a denial of service or arbitrary code execution. Users should upgrade to Apache Hadoop 2.10.2, 3.2.3, 3.3.2 or higher.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages3 packages

▶NVDapache/hadoop2.9.0 — 2.10.2+3

▶Mavenorg.apache.hadoop:hadoop-common3.3.0 — 3.3.2+2

▶CVEListV5apache_software_foundation/apache_hadoop4 versions+3

🔴Vulnerability Details

GHSA

Apache Hadoop heap overflow before v2.10.2, v3.2.3, v3.3.2↗2022-06-14

▶

OSV

Apache Hadoop heap overflow before v2.10.2, v3.2.3, v3.3.2↗2022-06-14

▶

CVEList

Heap buffer overflow in libhdfs native library↗2022-06-13

▶

📋Vendor Advisories

Red Hat

hadoop-hdfs: Heap buffer overflow in Apache Hadoop libhdfs↗2022-06-13

▶

Apache

Apache hadoop: CVE-2021-37404↗

▶