CVE-2016-5001

MEDIUM

Apache Hadoop < 2.6.4 and 2.7.0-2.7.1 - Unauthorized File Read via Short-Circuit Reads Token Guessing

Title source: llm

Description

This is an information disclosure vulnerability in Apache Hadoop before 2.6.4 and 2.7.x before 2.7.2 in the short-circuit reads feature of HDFS. A local user on an HDFS DataNode may be able to craft a block token that grants unauthorized read access to random files by guessing certain fields in the token.

References (3)

Core 3

Core References

Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/94950

Mailing List, Third Party Advisory mailing-list x_refsource_mlist

http://seclists.org/oss-sec/2016/q4/698

Mailing List mailing-list x_refsource_mlist

https://lists.apache.org/thread.html/r66de86b9a608c1da70b2d27d765c11ec88edf6e5dd6f379ab33e072a%40%3Cuser.flink.apache.org%3E

Scores

CVSS v3 5.5

EPSS 0.0012

EPSS Percentile 30.1%

Attack Vector LOCAL

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Details

CWE

CWE-200

Status published

Products (6)

apache/hadoop 2.7.0

apache/hadoop 2.7.1

apache/hadoop < 2.6.3

Apache Software Foundation/Apache Hadoop 2.1.0 to 2.6.3

Apache Software Foundation/Apache Hadoop 2.7.0 to 2.7.1

org.apache.hadoop/hadoop-common 0 - 2.6.4Maven

Published Aug 30, 2017

Tracked Since Feb 18, 2026