FKIE_CVE-2017-15713

Vulnerability from fkie_nvd - Published: 2018-01-19 17:29 - Updated: 2024-11-21 03:15
Severity ?
6.5 (Medium) - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Summary
Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and 3.0.0-alpha through 3.0.0-beta1 allows a cluster user to expose private files owned by the user running the MapReduce job history server process. The malicious user can construct a configuration file containing XML directives that reference sensitive files on the MapReduce job history server host.
References
security@apache.orghttps://lists.apache.org/thread.html/a790a251ace7213bde9f69777dedb453b1a01a6d18289c14a61d4f91%40%3Cgeneral.hadoop.apache.org%3E
af854a3a-2127-422b-91ae-364da2661108https://lists.apache.org/thread.html/a790a251ace7213bde9f69777dedb453b1a01a6d18289c14a61d4f91%40%3Cgeneral.hadoop.apache.org%3E
Impacted products
Vendor Product Version
apache hadoop *
apache hadoop *
apache hadoop 2.0.0
apache hadoop 2.0.1
apache hadoop 2.0.2
apache hadoop 2.0.3
apache hadoop 2.0.4
apache hadoop 2.0.5
apache hadoop 2.0.6
apache hadoop 2.1.0
apache hadoop 2.1.1
apache hadoop 3.0.0
apache hadoop 3.0.0
apache hadoop 3.0.0
apache hadoop 3.0.0
apache hadoop 3.0.0
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:apache:hadoop:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "2361D3C0-C442-4FBD-A860-F5708E991EAE",
              "versionEndIncluding": "0.23.11",
              "versionStartIncluding": "0.23.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:hadoop:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "47B637FE-CA00-45E7-AF2D-D55DE9C758CC",
              "versionEndIncluding": "2.8.2",
              "versionStartIncluding": "2.2.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:hadoop:2.0.0:alpha:*:*:*:*:*:*",
              "matchCriteriaId": "227941BD-D769-45AD-9D61-7FCA3C2264FA",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:hadoop:2.0.1:alpha:*:*:*:*:*:*",
              "matchCriteriaId": "18BF490A-0865-47C0-A143-0991B40BD259",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:hadoop:2.0.2:alpha:*:*:*:*:*:*",
              "matchCriteriaId": "E091799F-203D-4C52-839E-E798770C0287",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:hadoop:2.0.3:alpha:*:*:*:*:*:*",
              "matchCriteriaId": "80E53689-C56C-4104-B510-CB4116B898CB",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:hadoop:2.0.4:alpha:*:*:*:*:*:*",
              "matchCriteriaId": "591921C3-F7EA-402E-9C36-2EADF0417C72",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:hadoop:2.0.5:alpha:*:*:*:*:*:*",
              "matchCriteriaId": "9FA774A9-81B3-4303-B254-C802B4DC8004",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:hadoop:2.0.6:alpha:*:*:*:*:*:*",
              "matchCriteriaId": "877CAAE8-5E57-4D0D-A8EB-8CA696D0CE3F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:hadoop:2.1.0:beta:*:*:*:*:*:*",
              "matchCriteriaId": "25DB127F-4293-4847-A8C4-C7F6B74762EE",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:hadoop:2.1.1:beta:*:*:*:*:*:*",
              "matchCriteriaId": "E8AE3E25-0726-4039-A3A8-B53F7CF0E638",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:hadoop:3.0.0:alpha1:*:*:*:*:*:*",
              "matchCriteriaId": "C33530ED-6093-4B4C-AFDB-4DB5EB5878E0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:hadoop:3.0.0:alpha2:*:*:*:*:*:*",
              "matchCriteriaId": "38BCF20D-169E-4847-8880-A223467B8639",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:hadoop:3.0.0:alpha3:*:*:*:*:*:*",
              "matchCriteriaId": "336DADCF-3302-423D-BFDC-72C031AD1CAD",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:hadoop:3.0.0:alpha4:*:*:*:*:*:*",
              "matchCriteriaId": "689B619C-04C4-43C6-B103-DDAAA9C9CC9C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:hadoop:3.0.0:beta1:*:*:*:*:*:*",
              "matchCriteriaId": "1E457B6F-5F01-45C5-8568-7AF598721AEB",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and 3.0.0-alpha through 3.0.0-beta1 allows a cluster user to expose private files owned by the user running the MapReduce job history server process. The malicious user can construct a configuration file containing XML directives that reference sensitive files on the MapReduce job history server host."
    },
    {
      "lang": "es",
      "value": "Vulnerabilidad en Apache Hadoop 0.23.x, 2.x en versiones anteriores a la 2.7.5, 2.8.x en versiones anteriores a la 2.8.3 y 3.0.0-alpha hasta la versi\u00f3n 3.0.0-beta1 permite que un usuario del cl\u00faster exponga archivos privados en propiedad del usuario que ejecuta el proceso del servidor de historial de jobs MapReduce. El usuario malicioso puede construir un archivo de configuraci\u00f3n que contiene directivas XML que referencian archivos sensibles en el host del servidor de historial de jobs MapReduce."
    }
  ],
  "id": "CVE-2017-15713",
  "lastModified": "2024-11-21T03:15:04.077",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": true,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "SINGLE",
          "availabilityImpact": "NONE",
          "baseScore": 4.0,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "NONE",
          "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 8.0,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV30": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
          "version": "3.0"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2018-01-19T17:29:00.210",
  "references": [
    {
      "source": "security@apache.org",
      "url": "https://lists.apache.org/thread.html/a790a251ace7213bde9f69777dedb453b1a01a6d18289c14a61d4f91%40%3Cgeneral.hadoop.apache.org%3E"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.apache.org/thread.html/a790a251ace7213bde9f69777dedb453b1a01a6d18289c14a61d4f91%40%3Cgeneral.hadoop.apache.org%3E"
    }
  ],
  "sourceIdentifier": "security@apache.org",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-200"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.