org.apache.hadoop:hadoop-common (Maven) — known CVEs & security advisories
Known CVE vulnerabilities and GitHub Security Advisories affecting the Maven package org.apache.hadoop:hadoop-common, with affected version ranges, CVSS severity, EPSS exploit prediction, and CISA KEV status.
CVEs (12)
CVE-2022-26612 — CVSS 9.8 (critical): In Apache Hadoop, The unTar function uses unTarUsingJava function on Windows and the built-in tar utility on Unix and other OSes. As a…
CVE-2022-25168 — CVSS 9.8 (critical): Apache Hadoop's FileUtil.unTar(File, File) API does not escape the input file name before being passed to the shell. An attacker can inject…
CVE-2021-37404 — CVSS 9.8 (critical): There is a potential heap buffer overflow in Apache Hadoop libhdfs native code. Opening a file path provided by user without validation may…
CVE-2020-9492 — CVSS 8.8 (high): In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.0, WebHDFS client might send SPNEGO authorization header to…
CVE-2016-5393 — CVSS 8.8 (high): In Apache Hadoop 2.6.x before 2.6.5 and 2.7.x before 2.7.3, a remote user who can authenticate with the HDFS NameNode can possibly run…
CVE-2016-6811 — CVSS 8.8 (high): In Apache Hadoop 2.x before 2.7.4, a user who can escalate to yarn user can possibly run arbitrary commands as root user.
CVE-2017-7669 — CVSS 7.5 (high): In Apache Hadoop 2.8.0, 3.0.0-alpha1, and 3.0.0-alpha2, the LinuxContainerExecutor runs docker commands as root with insufficient input…
CVE-2014-0229 — CVSS 6.5 (medium): Apache Hadoop 0.23.x before 0.23.11 and 2.x before 2.4.1, as used in Cloudera CDH 5.0.x before 5.0.2, do not check authorization for the…
CVE-2024-23454 — CVSS 6.2 (medium): Apache Hadoop’s RunJar.run() does not set permissions for temporary directory by default. If sensitive data will be present in this file…
CVE-2015-1776 — CVSS 6.2 (medium): Apache Hadoop 2.6.x encrypts intermediate data generated by a MapReduce job and stores it along with the encryption key in a credentials…
CVE-2016-5001 — CVSS 5.5 (medium): This is an information disclosure vulnerability in Apache Hadoop before 2.6.4 and 2.7.x before 2.7.2 in the short-circuit reads feature of…
CVE-2013-2192 — CVSS 3.2 (low): The RPC protocol implementation in Apache Hadoop 2.x before 2.0.6-alpha, 0.23.x before 0.23.9, and 1.x before 1.2.1, when the Kerberos…