CVE-2016-5001

5.5MEDIUM

Key Information:

Vendor: Apache
Status: Apache Hadoop
Vendor: CVE Published:; 30 August 2017

Summary

This is an information disclosure vulnerability in Apache Hadoop before 2.6.4 and 2.7.x before 2.7.2 in the short-circuit reads feature of HDFS. A local user on an HDFS DataNode may be able to craft a block token that grants unauthorized read access to random files by guessing certain fields in the token.

Affected Version(s)

Apache Hadoop 2.1.0 to 2.6.3

Apache Hadoop 2.7.0 to 2.7.1

References

http://www.securityfocus.com/bid/94950

vdb-entryx_refsource_BID

http://seclists.org/oss-sec/2016/q4/698

mailing-listx_refsource_MLIST

https://lists.apache.org/thread.html/r66de86b9a608c1da70b...

mailing-listx_refsource_MLIST

CVSS V3.1

Score:

5.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Aug 30, 2017
Vulnerability Reserved
May 24, 2016

.