gsd-2018-11765
Vulnerability from gsd
Modified
2023-12-13 01:22
Details
In Apache Hadoop versions 3.0.0-alpha2 to 3.0.0, 2.9.0 to 2.9.2, 2.8.0 to 2.8.5, any users can access some servlets without authentication when Kerberos authentication is enabled and SPNEGO through HTTP is not enabled.
Aliases
Aliases
CVE-2018-11765


To clipboard 

{
  "GSD": {
    "alias": "CVE-2018-11765",
    "description": "In Apache Hadoop versions 3.0.0-alpha2 to 3.0.0, 2.9.0 to 2.9.2, 2.8.0 to 2.8.5, any users can access some servlets without authentication when Kerberos authentication is enabled and SPNEGO through HTTP is not enabled.",
    "id": "GSD-2018-11765"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2018-11765"
      ],
      "details": "In Apache Hadoop versions 3.0.0-alpha2 to 3.0.0, 2.9.0 to 2.9.2, 2.8.0 to 2.8.5, any users can access some servlets without authentication when Kerberos authentication is enabled and SPNEGO through HTTP is not enabled.",
      "id": "GSD-2018-11765",
      "modified": "2023-12-13T01:22:42.299260Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security@apache.org",
        "ID": "CVE-2018-11765",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "Apache Hadoop",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "Apache Hadoop 3.0.0-alpha2 to 3.0.0, 2.9.0 to 2.9.2, 2.8.0 to 2.8.5"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "In Apache Hadoop versions 3.0.0-alpha2 to 3.0.0, 2.9.0 to 2.9.2, 2.8.0 to 2.8.5, any users can access some servlets without authentication when Kerberos authentication is enabled and SPNEGO through HTTP is not enabled."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "Information Disclosure"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://lists.apache.org/thread.html/r2c7f899911a04164ed1707083fcd4135f8427e04778c87d83509b0da%40%3Cgeneral.hadoop.apache.org%3E",
            "refsource": "MISC",
            "url": "https://lists.apache.org/thread.html/r2c7f899911a04164ed1707083fcd4135f8427e04778c87d83509b0da%40%3Cgeneral.hadoop.apache.org%3E"
          },
          {
            "name": "[druid-dev] 20201007 [CANCEL][VOTE] Release Apache Druid 0.20.0 [RC1]",
            "refsource": "MLIST",
            "url": "https://lists.apache.org/thread.html/rf9dfa8b77585c9227db9637552eebb2ab029255a0db4eb76c2b6c4cf@%3Cdev.druid.apache.org%3E"
          },
          {
            "name": "[druid-commits] 20201007 [GitHub] [druid] jon-wei opened a new pull request #10485: Suppress CVE-2018-11765 for hadoop dependencies",
            "refsource": "MLIST",
            "url": "https://lists.apache.org/thread.html/rbe25cac0f499374f8ae17a4a44a8404927b56de28d4c41940d82b7a4@%3Ccommits.druid.apache.org%3E"
          },
          {
            "name": "[druid-commits] 20201008 [druid] branch master updated: Suppress CVE-2018-11765 for hadoop dependencies (#10485)",
            "refsource": "MLIST",
            "url": "https://lists.apache.org/thread.html/r4dddf1705dbedfa94392913b2dad1cd2d1d89040facd389eea0b3510@%3Ccommits.druid.apache.org%3E"
          },
          {
            "name": "[druid-commits] 20201008 [GitHub] [druid] jon-wei merged pull request #10485: Suppress CVE-2018-11765 for hadoop dependencies",
            "refsource": "MLIST",
            "url": "https://lists.apache.org/thread.html/r79b15c5b66c6df175d01d7560adf0cd5c369129b9a161905e0339927@%3Ccommits.druid.apache.org%3E"
          },
          {
            "name": "[druid-commits] 20201008 [GitHub] [druid] jon-wei opened a new pull request #10492: [Backport] Suppress CVE-2018-11765 for hadoop dependencies (#10485)",
            "refsource": "MLIST",
            "url": "https://lists.apache.org/thread.html/reea5eb8622afbfbfca46bc758f79db83d90a3263a906c4d1acba4971@%3Ccommits.druid.apache.org%3E"
          },
          {
            "name": "[druid-commits] 20201008 [druid] branch 0.20.0 updated: Suppress CVE-2018-11765 for hadoop dependencies (#10485) (#10492)",
            "refsource": "MLIST",
            "url": "https://lists.apache.org/thread.html/rb21df54a4e39732ce653d2aa5672e36a792b59eb6717f2a06bb8d02a@%3Ccommits.druid.apache.org%3E"
          },
          {
            "name": "[druid-commits] 20201008 [GitHub] [druid] jon-wei merged pull request #10492: [Backport] Suppress CVE-2018-11765 for hadoop dependencies (#10485)",
            "refsource": "MLIST",
            "url": "https://lists.apache.org/thread.html/r46447f38ea8c89421614e9efd7de5e656186d35e10fc97cf88477a01@%3Ccommits.druid.apache.org%3E"
          },
          {
            "name": "[druid-commits] 20201009 [GitHub] [druid] jon-wei merged pull request #10485: Suppress CVE-2018-11765 for hadoop dependencies",
            "refsource": "MLIST",
            "url": "https://lists.apache.org/thread.html/r17d94d132b207dad221595fd8b8b18628f5f5ec7e3f5be939ecd8928@%3Ccommits.druid.apache.org%3E"
          },
          {
            "name": "[druid-commits] 20201009 [GitHub] [druid] jon-wei opened a new pull request #10492: [Backport] Suppress CVE-2018-11765 for hadoop dependencies (#10485)",
            "refsource": "MLIST",
            "url": "https://lists.apache.org/thread.html/rb241464d83baa3749b08cd3dabc8dba70a9a9027edcef3b5d4c24ef4@%3Ccommits.druid.apache.org%3E"
          },
          {
            "name": "[druid-commits] 20201009 [GitHub] [druid] jon-wei merged pull request #10492: [Backport] Suppress CVE-2018-11765 for hadoop dependencies (#10485)",
            "refsource": "MLIST",
            "url": "https://lists.apache.org/thread.html/r74825601e93582167eb7cdc2f764c74c9c6d8006fa90018562fda60f@%3Ccommits.druid.apache.org%3E"
          },
          {
            "name": "https://security.netapp.com/advisory/ntap-20201016-0005/",
            "refsource": "CONFIRM",
            "url": "https://security.netapp.com/advisory/ntap-20201016-0005/"
          }
        ]
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "[3.0.0-alpha2,3.0.0],[2.9.0,2.9.2],[2.8.0,2.8.5]",
          "affected_versions": "All versions starting from 3.0.0-alpha2 up to 3.0.0, all versions starting from 2.9.0 up to 2.9.2, all versions starting from 2.8.0 up to 2.8.5",
          "cvss_v2": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-287",
            "CWE-937"
          ],
          "date": "2021-10-05",
          "description": "In Apache Hadoop versions 3.0.0-alpha2 to 3.0.0, 2.9.0 to 2.9.2, 2.8.0 to 2.8.5, any users can access some servlets without authentication when Kerberos authentication is enabled and SPNEGO through HTTP is not enabled.",
          "fixed_versions": [
            "3.0.1",
            "3.0.1",
            "3.0.1",
            "2.8.6"
          ],
          "identifier": "CVE-2018-11765",
          "identifiers": [
            "GHSA-rhh9-cm65-3w54",
            "CVE-2018-11765"
          ],
          "not_impacted": "All versions before 3.0.0-alpha2, all versions after 3.0.0, all versions before 2.9.0, all versions after 2.9.2, all versions before 2.8.0, all versions after 2.8.5",
          "package_slug": "maven/org.apache.hadoop/hadoop-main",
          "pubdate": "2021-04-30",
          "solution": "Upgrade to versions 3.0.1, 3.0.1, 3.0.1, 2.8.6 or above.",
          "title": "Improper Authentication",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2018-11765",
            "https://lists.apache.org/thread.html/r17d94d132b207dad221595fd8b8b18628f5f5ec7e3f5be939ecd8928@%3Ccommits.druid.apache.org%3E",
            "https://lists.apache.org/thread.html/r2c7f899911a04164ed1707083fcd4135f8427e04778c87d83509b0da%40%3Cgeneral.hadoop.apache.org%3E",
            "https://lists.apache.org/thread.html/r46447f38ea8c89421614e9efd7de5e656186d35e10fc97cf88477a01@%3Ccommits.druid.apache.org%3E",
            "https://lists.apache.org/thread.html/r4dddf1705dbedfa94392913b2dad1cd2d1d89040facd389eea0b3510@%3Ccommits.druid.apache.org%3E",
            "https://lists.apache.org/thread.html/r74825601e93582167eb7cdc2f764c74c9c6d8006fa90018562fda60f@%3Ccommits.druid.apache.org%3E",
            "https://lists.apache.org/thread.html/r79b15c5b66c6df175d01d7560adf0cd5c369129b9a161905e0339927@%3Ccommits.druid.apache.org%3E",
            "https://lists.apache.org/thread.html/rb21df54a4e39732ce653d2aa5672e36a792b59eb6717f2a06bb8d02a@%3Ccommits.druid.apache.org%3E",
            "https://lists.apache.org/thread.html/rb241464d83baa3749b08cd3dabc8dba70a9a9027edcef3b5d4c24ef4@%3Ccommits.druid.apache.org%3E",
            "https://lists.apache.org/thread.html/rbe25cac0f499374f8ae17a4a44a8404927b56de28d4c41940d82b7a4@%3Ccommits.druid.apache.org%3E",
            "https://lists.apache.org/thread.html/reea5eb8622afbfbfca46bc758f79db83d90a3263a906c4d1acba4971@%3Ccommits.druid.apache.org%3E",
            "https://lists.apache.org/thread.html/rf9dfa8b77585c9227db9637552eebb2ab029255a0db4eb76c2b6c4cf@%3Cdev.druid.apache.org%3E",
            "https://security.netapp.com/advisory/ntap-20201016-0005/",
            "https://github.com/advisories/GHSA-rhh9-cm65-3w54"
          ],
          "uuid": "ef2c8c91-6671-4512-97ab-09587b00f82f"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:apache:hadoop:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndIncluding": "2.8.5",
                "versionStartIncluding": "2.8.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apache:hadoop:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndIncluding": "2.9.2",
                "versionStartIncluding": "2.9.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apache:hadoop:3.0.0:-:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apache:hadoop:3.0.0:alpha2:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security@apache.org",
          "ID": "CVE-2018-11765"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "In Apache Hadoop versions 3.0.0-alpha2 to 3.0.0, 2.9.0 to 2.9.2, 2.8.0 to 2.8.5, any users can access some servlets without authentication when Kerberos authentication is enabled and SPNEGO through HTTP is not enabled."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-287"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://lists.apache.org/thread.html/r2c7f899911a04164ed1707083fcd4135f8427e04778c87d83509b0da%40%3Cgeneral.hadoop.apache.org%3E",
              "refsource": "MISC",
              "tags": [
                "Mailing List",
                "Vendor Advisory"
              ],
              "url": "https://lists.apache.org/thread.html/r2c7f899911a04164ed1707083fcd4135f8427e04778c87d83509b0da%40%3Cgeneral.hadoop.apache.org%3E"
            },
            {
              "name": "[druid-dev] 20201007 [CANCEL][VOTE] Release Apache Druid 0.20.0 [RC1]",
              "refsource": "MLIST",
              "tags": [],
              "url": "https://lists.apache.org/thread.html/rf9dfa8b77585c9227db9637552eebb2ab029255a0db4eb76c2b6c4cf@%3Cdev.druid.apache.org%3E"
            },
            {
              "name": "[druid-commits] 20201007 [GitHub] [druid] jon-wei opened a new pull request #10485: Suppress CVE-2018-11765 for hadoop dependencies",
              "refsource": "MLIST",
              "tags": [],
              "url": "https://lists.apache.org/thread.html/rbe25cac0f499374f8ae17a4a44a8404927b56de28d4c41940d82b7a4@%3Ccommits.druid.apache.org%3E"
            },
            {
              "name": "[druid-commits] 20201008 [GitHub] [druid] jon-wei opened a new pull request #10492: [Backport] Suppress CVE-2018-11765 for hadoop dependencies (#10485)",
              "refsource": "MLIST",
              "tags": [],
              "url": "https://lists.apache.org/thread.html/reea5eb8622afbfbfca46bc758f79db83d90a3263a906c4d1acba4971@%3Ccommits.druid.apache.org%3E"
            },
            {
              "name": "[druid-commits] 20201008 [druid] branch master updated: Suppress CVE-2018-11765 for hadoop dependencies (#10485)",
              "refsource": "MLIST",
              "tags": [],
              "url": "https://lists.apache.org/thread.html/r4dddf1705dbedfa94392913b2dad1cd2d1d89040facd389eea0b3510@%3Ccommits.druid.apache.org%3E"
            },
            {
              "name": "[druid-commits] 20201008 [GitHub] [druid] jon-wei merged pull request #10485: Suppress CVE-2018-11765 for hadoop dependencies",
              "refsource": "MLIST",
              "tags": [],
              "url": "https://lists.apache.org/thread.html/r79b15c5b66c6df175d01d7560adf0cd5c369129b9a161905e0339927@%3Ccommits.druid.apache.org%3E"
            },
            {
              "name": "[druid-commits] 20201008 [druid] branch 0.20.0 updated: Suppress CVE-2018-11765 for hadoop dependencies (#10485) (#10492)",
              "refsource": "MLIST",
              "tags": [],
              "url": "https://lists.apache.org/thread.html/rb21df54a4e39732ce653d2aa5672e36a792b59eb6717f2a06bb8d02a@%3Ccommits.druid.apache.org%3E"
            },
            {
              "name": "[druid-commits] 20201008 [GitHub] [druid] jon-wei merged pull request #10492: [Backport] Suppress CVE-2018-11765 for hadoop dependencies (#10485)",
              "refsource": "MLIST",
              "tags": [],
              "url": "https://lists.apache.org/thread.html/r46447f38ea8c89421614e9efd7de5e656186d35e10fc97cf88477a01@%3Ccommits.druid.apache.org%3E"
            },
            {
              "name": "[druid-commits] 20201009 [GitHub] [druid] jon-wei merged pull request #10485: Suppress CVE-2018-11765 for hadoop dependencies",
              "refsource": "MLIST",
              "tags": [],
              "url": "https://lists.apache.org/thread.html/r17d94d132b207dad221595fd8b8b18628f5f5ec7e3f5be939ecd8928@%3Ccommits.druid.apache.org%3E"
            },
            {
              "name": "[druid-commits] 20201009 [GitHub] [druid] jon-wei merged pull request #10492: [Backport] Suppress CVE-2018-11765 for hadoop dependencies (#10485)",
              "refsource": "MLIST",
              "tags": [],
              "url": "https://lists.apache.org/thread.html/r74825601e93582167eb7cdc2f764c74c9c6d8006fa90018562fda60f@%3Ccommits.druid.apache.org%3E"
            },
            {
              "name": "[druid-commits] 20201009 [GitHub] [druid] jon-wei opened a new pull request #10492: [Backport] Suppress CVE-2018-11765 for hadoop dependencies (#10485)",
              "refsource": "MLIST",
              "tags": [],
              "url": "https://lists.apache.org/thread.html/rb241464d83baa3749b08cd3dabc8dba70a9a9027edcef3b5d4c24ef4@%3Ccommits.druid.apache.org%3E"
            },
            {
              "name": "https://security.netapp.com/advisory/ntap-20201016-0005/",
              "refsource": "CONFIRM",
              "tags": [],
              "url": "https://security.netapp.com/advisory/ntap-20201016-0005/"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "NONE",
            "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
            "version": "2.0"
          },
          "exploitabilityScore": 8.6,
          "impactScore": 2.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 3.6
        }
      },
      "lastModifiedDate": "2020-10-16T11:15Z",
      "publishedDate": "2020-09-30T18:15Z"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.