threat
engine
.sh
Back
·
··:··
Home
/
Product
/
apache hadoop
Product
apache hadoop
37 known vulnerabilities across versions
Vulnerabilities are listed by affected version. Select any CVE for the full briefing and its intelligence graph.
Sort
Newest first
Oldest first
Highest CVSS
Lowest CVSS
Min CVSS
Any
4.0+
7.0+ (High)
9.0+ (Critical)
Published since
Reset
CVE-2025-27821
>= 3.2.0 and < 3.4.2
Out-of-bounds Write vulnerability in Apache Hadoop HDFS native client. This issue affects Apache Hadoop: from 3.2.0 before 3.4.2.
7.3
HIGH
CVE-2024-23454
< 3.4.0
Apache Hadoop’s RunJar.run() does not set permissions for temporary directory by default. If sensitive data will be present in
6.2
MEDIUM
CVE-2023-26031
>= 3.3.1 and <= 3.3.4
Relative library resolution in linux container-executor binary in Apache Hadoop 3.3.1-3.3.4 on Linux allows local user to gain roo
7.5
HIGH
CVE-2021-25642
>= 2.9.0 and < 2.10.2
ZKConfigurationStore which is optionally used by CapacityScheduler of Apache Hadoop YARN deserializes data obtained from ZooKeeper
8.8
HIGH
CVE-2022-25168
>= 2.0.0 and <= 2.10.1
Apache Hadoop's FileUtil.unTar(File, File) API does not escape the input file name before being passed to the shell. An attacker c
9.8
CRITICAL
CVE-2021-33036
>= 2.2.0 and < 2.10.2
In Apache Hadoop 2.2.0 to 2.10.1, 3.0.0-alpha1 to 3.1.4, 3.2.0 to 3.2.2, and 3.3.0 to 3.3.1, a user who can escalate to yarn user
8.8
HIGH
CVE-2021-37404
>= 2.9.0 and < 2.10.2
There is a potential heap buffer overflow in Apache Hadoop libhdfs native code. Opening a file path provided by user without valid
9.8
CRITICAL
CVE-2022-26612
< 3.2.3
In Apache Hadoop, The unTar function uses unTarUsingJava function on Windows and the built-in tar utility on Unix and other OSes.
9.8
CRITICAL
CVE-2020-9492
>= 2.0.0 and <= 2.10.0
In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.0, WebHDFS client might send SPNEGO authorization
8.8
HIGH
CVE-2018-11764
all versions
Web endpoint authentication check is broken in Apache Hadoop 3.0.0-alpha4, 3.0.0-beta1, and 3.0.0. Authenticated users may imperso
8.8
HIGH
CVE-2018-11765
>= 2.8.0 and <= 2.8.5
In Apache Hadoop versions 3.0.0-alpha2 to 3.0.0, 2.9.0 to 2.9.2, 2.8.0 to 2.8.5, any users can access some servlets without authen
7.5
HIGH
CVE-2012-2945
all versions
Hadoop 1.0.3 contains a symlink vulnerability.
7.5
HIGH
CVE-2019-17195
all versions
Connect2id Nimbus JOSE+JWT before v7.9 can throw various uncaught exceptions while parsing a JWT, which could result in an applica
9.8
CRITICAL
CVE-2018-11768
>= 2.2.0 and <= 2.8.4
In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.0-alpha to 2.8.4, the user/group information can b
7.5
HIGH
CVE-2018-8029
>= 2.2.0 and <= 2.8.4
In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.8.4, a user who can escalate to yarn user can poss
8.8
HIGH
CVE-2018-11767
>= 2.7.5 and <= 2.7.6
In Apache Hadoop 2.9.0 to 2.9.1, 2.8.3 to 2.8.4, 2.7.5 to 2.7.6, KMS blocking users or granting access to users incorrectly, if th
7.4
HIGH
CVE-2018-1296
>= 2.5.0 and <= 2.7.5
In Apache Hadoop 3.0.0-alpha1 to 3.0.0, 2.9.0, 2.8.0 to 2.8.3, and 2.5.0 to 2.7.5, HDFS exposes extended attribute key/value pairs
7.5
HIGH
CVE-2018-11766
>= 2.7.4 and <= 2.7.6
In Apache Hadoop 2.7.4 to 2.7.6, the security fix for CVE-2016-6811 is incomplete. A user who can escalate to yarn user can possib
8.8
HIGH
CVE-2018-8009
>= 0.23.0 and <= 0.23.11
Apache Hadoop 3.1.0, 3.0.0-alpha to 3.0.2, 2.9.0 to 2.9.1, 2.8.0 to 2.8.4, 2.0.0-alpha to 2.7.6, 0.23.0 to 0.23.11 is exploitable
8.8
HIGH
CVE-2017-15718
all versions
The YARN NodeManager in Apache Hadoop 2.7.3 and 2.7.4 can leak the password for credential store provider used by the NodeManager
9.8
CRITICAL
CVE-2017-15713
>= 0.23.0 and <= 0.23.11
Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and 3.0.0-alpha through 3.0.0-beta1 allows a cluster
6.5
MEDIUM
CVE-2017-3166
all versions
In Apache Hadoop versions 2.6.1 to 2.6.5, 2.7.0 to 2.7.3, and 3.0.0-alpha1, if a file in an encryption zone with access permission
7.8
HIGH
CVE-2012-4449
<= 0.23.3
Apache Hadoop before 0.23.4, 1.x before 1.0.4, and 2.x before 2.0.2 generate token passwords using a 20-bit secret when Kerberos s
9.8
CRITICAL
CVE-2016-3086
all versions
The YARN NodeManager in Apache Hadoop 2.6.x before 2.6.5 and 2.7.x before 2.7.3 can leak the password for credential store provide
9.8
CRITICAL
CVE-2016-5001
<= 2.6.3
This is an information disclosure vulnerability in Apache Hadoop before 2.6.4 and 2.7.x before 2.7.2 in the short-circuit reads fe
5.5
MEDIUM
CVE-2017-7669
all versions
In Apache Hadoop 2.8.0, 3.0.0-alpha1, and 3.0.0-alpha2, the LinuxContainerExecutor runs docker commands as root with insufficient
7.5
HIGH
CVE-2017-3162
<= 2.6.5
HDFS clients interact with a servlet on the DataNode to browse the HDFS namespace. The NameNode is provided as a query parameter t
7.3
HIGH
CVE-2017-3161
<= 2.6.5
The HDFS web UI in Apache Hadoop before 2.7.0 is vulnerable to a cross-site scripting (XSS) attack through an unescaped query para
6.1
MEDIUM
CVE-2016-6811
>= 2.2.0 and <= 2.7.3
In Apache Hadoop 2.x before 2.7.4, a user who can escalate to yarn user can possibly run arbitrary commands as root user.
8.8
HIGH
CVE-2014-0229
all versions
Apache Hadoop 0.23.x before 0.23.11 and 2.x before 2.4.1, as used in Cloudera CDH 5.0.x before 5.0.2, do not check authorization f
6.5
MEDIUM
CVE-2016-5393
all versions
In Apache Hadoop 2.6.x before 2.6.5 and 2.7.x before 2.7.3, a remote user who can authenticate with the HDFS NameNode can possibly
8.8
HIGH
CVE-2015-1776
all versions
Apache Hadoop 2.6.x encrypts intermediate data generated by a MapReduce job and stores it along with the encryption key in a crede
6.2
MEDIUM
CVE-2015-7430
all versions
The Hadoop connector 1.1.1, 2.4, 2.5, and 2.7.0-0 before 2.7.0-3 for IBM Spectrum Scale and General Parallel File System (GPFS) al
8.4
HIGH
CVE-2014-3627
all versions
The YARN NodeManager daemon in Apache Hadoop 0.23.0 through 0.23.11 and 2.x before 2.5.2, when using Kerberos authentication, allo
CVE-2013-2192
all versions
The RPC protocol implementation in Apache Hadoop 2.x before 2.0.6-alpha, 0.23.x before 0.23.9, and 1.x before 1.2.1, when the Kerb
CVE-2012-3376
all versions
DataNodes in Apache Hadoop 2.0.0 alpha does not check the BlockTokens of clients when Kerberos is enabled and the DataNode has che
CVE-2012-1574
all versions
The Kerberos/MapReduce security functionality in Apache Hadoop 0.20.203.0 through 0.20.205.0, 0.23.x before 0.23.2, and 1.0.x befo
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh · Open-source threat intelligence platform · 100+ authoritative sources · Every fact traces to its origin