'[CVE-2018-11764] Apache Hadoop Privilege escalation in web endpoint'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       hadoop-user
Subject:    [CVE-2018-11764] Apache Hadoop Privilege escalation in web endpoint
From:       Akira Ajisaka <aajisaka () apache ! org>
Date:       2020-10-21 6:20:45
Message-ID: CAP+3qq799Gj73OYwZfwaQeY_nvHBpudRvBVUHrYys1AKdMs4dg () mail ! gmail ! com
[Download RAW message or body]

CVE-2018-11764: Apache Hadoop Privilege escalation in web endpoint

Severity: Critical

Vendor: The Apache Software Foundation

Versions affected:
3.0.0-alpha4, 3.0.0-beta1, and 3.0.0

Description:
Web endpoint authentication check is broken. Authenticated users may
impersonate any user even if no proxy user is configured.

Mitigation:
Users should upgrade to Apache Hadoop 3.0.1 or upper.

Credit:
This issue was discovered by Daryn Sharp.

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@hadoop.apache.org
For additional commands, e-mail: user-help@hadoop.apache.org

[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic