CVE-2018-1296

HIGH

Apache Hadoop 2.5.0-2.7.5 and 2.8.0-2.8.3 - Unauthorized Exposure of Extended Attributes

Title source: llm

Description

In Apache Hadoop 3.0.0-alpha1 to 3.0.0, 2.9.0, 2.8.0 to 2.8.3, and 2.5.0 to 2.7.5, HDFS exposes extended attribute key/value pairs during listXAttrs, verifying only path-level search access to the directory rather than path-level read permission to the referent.

References (2)

Core 2

Core References

Third Party Advisory vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/106764

Mailing List x_refsource_misc

https://lists.apache.org/thread.html/a5b15bc76fbdad2ee40761aacf954a13aeef67e305f86d483f267e8e%40%3Cuser.hadoop.apache.org%3E

Scores

CVSS v3 7.5

EPSS 0.0057

EPSS Percentile 69.0%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

CWE

CWE-200

Status published

Products (8)

apache/hadoop 2.8.0

apache/hadoop 2.8.1

apache/hadoop 2.8.2

apache/hadoop 2.8.3

apache/hadoop 2.9.0

apache/hadoop 3.0.0 (6 CPE variants)

apache/hadoop 2.5.0 - 2.7.5

org.apache.hadoop/hadoop-main 0 - 2.7.6Maven

Published Feb 07, 2019

Tracked Since Feb 18, 2026