Authentication Flaw in Apache Hadoop WebHDFS Client Leads to Potential Security Risk
CVE-2020-9492

8.8HIGH

Key Information:

Vendor
Apache
Status
Apache Hadoop
Vendor
CVE Published:
26 January 2021

Summary

In versions of Apache Hadoop from 3.2.0 to 3.2.1, alongside earlier release candidates and alpha versions, a significant flaw exists in the WebHDFS client. This vulnerability allows an unauthorized SPNEGO authorization header to be transmitted to remote URLs without proper verification, which could inadvertently expose sensitive user credentials. This poses a risk of privilege escalation, impacting overall application security.

Affected Version(s)

Apache Hadoop Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, 2.0.0-alpha to 2.10.0

References

https://lists.apache.org/thread.html/r513758942356ccd0d14...
x_refsource_MISC
https://lists.apache.org/thread.html/rca4516b00b55b347905...
mailing-listx_refsource_MLIST
https://lists.apache.org/thread.html/r79323adac584edab99f...
mailing-listx_refsource_MLIST

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.