Apache hadoop

This hub aggregates every CVE we track for Apache hadoop, a product in the databases space. Use it to gauge the current risk picture and drill into individual advisories.

Severity distribution

Monthly trend

The 15 most recently published vulnerabilities affecting Apache hadoop.

• CVE-2024-23454Apache Hadoop: Temporary File Local Information Disclosure6.2Sep 25, 2024
• CVE-2023-26031Privilege escalation in Apache Hadoop Yarn container-executor binary on Linux systems7.5Nov 16, 2023
• CVE-2021-25642Apache Hadoop YARN remote code execution in ZKConfigurationStore of capacity scheduler8.8Aug 25, 2022
• CVE-2022-25168Command injection in org.apache.hadoop.fs.FileUtil.unTarUsingTar9.8Aug 4, 2022
• CVE-2021-33036Apache Hadoop Privilege escalation vulnerability8.8Jun 15, 2022
• CVE-2021-37404Heap buffer overflow in libhdfs native library9.8Jun 13, 2022
• CVE-2022-26612Arbitrary file write in FileUtil#unpackEntries on Windows9.8Apr 7, 2022
• CVE-2018-1296In Apache Hadoop 3.0.0-alpha1 to 3.0.0, 2.9.0, 2.8.0 to 2.8.3, and 2.5.0 to 2.7.5, HDFS exposes extended attribute key/value pairs during listXAttrs, verifying only path-level search access to the ...7.5Feb 7, 2019
• CVE-2018-11766In Apache Hadoop 2.7.4 to 2.7.6, the security fix for CVE-2016-6811 is incomplete. A user who can escalate to yarn user can possibly run arbitrary commands as root user.8.8Nov 27, 2018
• CVE-2018-8009Apache Hadoop 3.1.0, 3.0.0-alpha to 3.0.2, 2.9.0 to 2.9.1, 2.8.0 to 2.8.4, 2.0.0-alpha to 2.7.6, 0.23.0 to 0.23.11 is exploitable via the zip slip vulnerability in places that accept a zip file.8.8Nov 13, 2018
• CVE-2017-15718The YARN NodeManager in Apache Hadoop 2.7.3 and 2.7.4 can leak the password for credential store provider used by the NodeManager to YARN Applications.9.8Jan 24, 2018
• CVE-2017-15713Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and 3.0.0-alpha through 3.0.0-beta1 allows a cluster user to expose private files owned by the user running the MapReduc...6.5Jan 19, 2018
• CVE-2017-3166In Apache Hadoop versions 2.6.1 to 2.6.5, 2.7.0 to 2.7.3, and 3.0.0-alpha1, if a file in an encryption zone with access permissions that make it world readable is localized via YARN's localization ...7.8Nov 13, 2017
• CVE-2016-3086The YARN NodeManager in Apache Hadoop 2.6.x before 2.6.5 and 2.7.x before 2.7.3 can leak the password for credential store provider used by the NodeManager to YARN Applications.9.8Sep 5, 2017
• CVE-2016-5001This is an information disclosure vulnerability in Apache Hadoop before 2.6.4 and 2.7.x before 2.7.2 in the short-circuit reads feature of HDFS. A local user on an HDFS DataNode may be able to craf...5.5Aug 30, 2017