Authorization Bypass Vulnerability in Apache Hadoop
CVE-2018-11765

7.5HIGH

Key Information:

Vendor: Apache
Status: Apache Hadoop
Vendor: CVE Published:; 30 September 2020

🔔 Create Apache Vulnerability Alert

What is CVE-2018-11765?

An authorization bypass vulnerability in Apache Hadoop can allow any user to access certain servlets without authentication when Kerberos authentication is activated, but SPNEGO via HTTP is not enabled. This issue can lead to unauthorized access and potential exposure of sensitive data, requiring users to ensure proper authentication measures are in place to mitigate the risk.

Affected Version(s)

Apache Hadoop Apache Hadoop 3.0.0-alpha2 to 3.0.0, 2.9.0 to 2.9.2, 2.8.0 to 2.8.5

References

https://lists.apache.org/thread.html/r2c7f899911a04164ed1...

x_refsource_MISC

https://lists.apache.org/thread.html/rf9dfa8b77585c9227db...

mailing-listx_refsource_MLIST

https://lists.apache.org/thread.html/rbe25cac0f499374f8ae...

mailing-listx_refsource_MLIST

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 30, 2020
Vulnerability Reserved
Jun 5, 2018

.