FKIE_CVE-2017-3166

Vulnerability from fkie_nvd - Published: 2017-11-13 14:29 - Updated: 2025-04-20 01:37
Severity ?
7.8 (High) - CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
In Apache Hadoop versions 2.6.1 to 2.6.5, 2.7.0 to 2.7.3, and 3.0.0-alpha1, if a file in an encryption zone with access permissions that make it world readable is localized via YARN's localization mechanism, that file will be stored in a world-readable location and can be shared freely with any application that requests to localize that file.
References
security@apache.orghttps://lists.apache.org/thread.html/2e16689b44bdd1976b6368c143a4017fc7159d1f2d02a5d54fe9310f%40%3Cgeneral.hadoop.apache.org%3E
security@apache.orghttps://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe%40%3Ccommits.druid.apache.org%3E
af854a3a-2127-422b-91ae-364da2661108https://lists.apache.org/thread.html/2e16689b44bdd1976b6368c143a4017fc7159d1f2d02a5d54fe9310f%40%3Cgeneral.hadoop.apache.org%3E
af854a3a-2127-422b-91ae-364da2661108https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe%40%3Ccommits.druid.apache.org%3E
Impacted products
Vendor Product Version
apache hadoop 2.6.1
apache hadoop 2.6.2
apache hadoop 2.6.3
apache hadoop 2.6.4
apache hadoop 2.6.5
apache hadoop 2.7.0
apache hadoop 2.7.1
apache hadoop 2.7.2
apache hadoop 2.7.3
apache hadoop 3.0.0
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:apache:hadoop:2.6.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "569A25D2-6BAE-4AF3-B5A4-E578F5BF4000",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:hadoop:2.6.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "0303DDA4-A5C1-4358-A4DC-F85C1B2E3254",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:hadoop:2.6.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "68F54CBB-0D44-4F8F-A45D-330213E0C349",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:hadoop:2.6.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "97B60011-6E60-4DBC-957B-C1F1CBB2B777",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:hadoop:2.6.5:*:*:*:*:*:*:*",
              "matchCriteriaId": "78F6B3B1-8C97-42F4-B5C0-B821B0866D67",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:hadoop:2.7.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "00E1BC92-93DF-479F-8C05-672ADF348565",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:hadoop:2.7.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "0CACFCC5-8A44-4DAE-A83F-139B488509A4",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:hadoop:2.7.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "9BE605CB-8A00-45EC-9DAA-775D4E9F5B85",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:hadoop:2.7.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "F9437CAB-BAA4-40E1-9A24-2A801AA132F4",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:hadoop:3.0.0:alpha1:*:*:*:*:*:*",
              "matchCriteriaId": "C33530ED-6093-4B4C-AFDB-4DB5EB5878E0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In Apache Hadoop versions 2.6.1 to 2.6.5, 2.7.0 to 2.7.3, and 3.0.0-alpha1, if a file in an encryption zone with access permissions that make it world readable is localized via YARN\u0027s localization mechanism, that file will be stored in a world-readable location and can be shared freely with any application that requests to localize that file."
    },
    {
      "lang": "es",
      "value": "En Apache Hadoop, en versiones 2.6.1 a 2.6.5, 2.7.0 a 2.7.3 y 3.0.0-alpha1, si un archivo en una zona de cifrado con permisos de acceso que lo hacen legible para todos los usuarios se localiza mediante el mecanismo de localizaci\u00f3n de YARN, ese archivo ser\u00e1 almacenado en una localizaci\u00f3n legible por todos los usuarios y puede ser compartido libremente con cualquier aplicaci\u00f3n que solicite localizar ese archivo."
    }
  ],
  "id": "CVE-2017-3166",
  "lastModified": "2025-04-20T01:37:25.860",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "LOCAL",
          "authentication": "NONE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 4.6,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 6.4,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV30": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "HIGH",
          "baseScore": 7.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.0"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2017-11-13T14:29:00.870",
  "references": [
    {
      "source": "security@apache.org",
      "url": "https://lists.apache.org/thread.html/2e16689b44bdd1976b6368c143a4017fc7159d1f2d02a5d54fe9310f%40%3Cgeneral.hadoop.apache.org%3E"
    },
    {
      "source": "security@apache.org",
      "url": "https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe%40%3Ccommits.druid.apache.org%3E"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.apache.org/thread.html/2e16689b44bdd1976b6368c143a4017fc7159d1f2d02a5d54fe9310f%40%3Cgeneral.hadoop.apache.org%3E"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe%40%3Ccommits.druid.apache.org%3E"
    }
  ],
  "sourceIdentifier": "security@apache.org",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-732"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.