CVE-2014-3627

  1. Yack CVE
  2. Vulnerabilities (CVE)
  3. CVE-2014-3627

5.0 /10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:L/Au:N/C:P/I:N/A:N

Exploitability : 10.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

T

he YARN NodeManager daemon in Apache Hadoop 0.23.0 through 0.23.11 and 2.x before 2.5.2, when using Kerberos authentication, allows remote cluster users to change the permissions of certain files to world-readable via a symlink attack in a public tar archive, which is not properly handled during localization, related to distributed cache.

References
Link Resource
http://mail-archives.apache.org/mod_mbox/hadoop-general/201411.mbox/%3CCALwhT97dOi04aC3VbekaB+zn2UAS_OZV2EAiP78GmjnMzfp2Ug%40mail.gmail.com%3E
http://secunia.com/advisories/60079
http://secunia.com/advisories/60432
http://mail-archives.apache.org/mod_mbox/hadoop-general/201411.mbox/%3CCALwhT97dOi04aC3VbekaB+zn2UAS_OZV2EAiP78GmjnMzfp2Ug%40mail.gmail.com%3E
http://secunia.com/advisories/60079
http://secunia.com/advisories/60432
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:apache:hadoop:0.23.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:hadoop:0.23.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:hadoop:0.23.3:*:*:*:*:*:*:*
cpe:2.3:a:apache:hadoop:0.23.4:*:*:*:*:*:*:*
cpe:2.3:a:apache:hadoop:0.23.5:*:*:*:*:*:*:*
cpe:2.3:a:apache:hadoop:0.23.6:*:*:*:*:*:*:*
cpe:2.3:a:apache:hadoop:0.23.7:*:*:*:*:*:*:*
cpe:2.3:a:apache:hadoop:0.23.8:*:*:*:*:*:*:*
cpe:2.3:a:apache:hadoop:0.23.9:*:*:*:*:*:*:*
cpe:2.3:a:apache:hadoop:0.23.10:*:*:*:*:*:*:*
cpe:2.3:a:apache:hadoop:0.23.11:*:*:*:*:*:*:*
cpe:2.3:a:apache:hadoop:2.0.0:alpha:*:*:*:*:*:*
cpe:2.3:a:apache:hadoop:2.0.1:alpha:*:*:*:*:*:*
cpe:2.3:a:apache:hadoop:2.0.2:alpha:*:*:*:*:*:*
cpe:2.3:a:apache:hadoop:2.0.3:alpha:*:*:*:*:*:*
cpe:2.3:a:apache:hadoop:2.0.4:alpha:*:*:*:*:*:*
cpe:2.3:a:apache:hadoop:2.0.5:alpha:*:*:*:*:*:*
cpe:2.3:a:apache:hadoop:2.0.6:alpha:*:*:*:*:*:*
cpe:2.3:a:apache:hadoop:2.1.0:beta:*:*:*:*:*:*
cpe:2.3:a:apache:hadoop:2.1.1:beta:*:*:*:*:*:*
cpe:2.3:a:apache:hadoop:2.2.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:hadoop:2.3.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:hadoop:2.4.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:hadoop:2.4.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:hadoop:2.5.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:hadoop:2.5.1:*:*:*:*:*:*:*
History

21 Nov 2024, 02:08

Type Values Removed Values Added
References () http://mail-archives.apache.org/mod_mbox/hadoop-general/201411.mbox/%3CCALwhT97dOi04aC3VbekaB+zn2UAS_OZV2EAiP78GmjnMzfp2Ug%40mail.gmail.com%3E - () http://mail-archives.apache.org/mod_mbox/hadoop-general/201411.mbox/%3CCALwhT97dOi04aC3VbekaB+zn2UAS_OZV2EAiP78GmjnMzfp2Ug%40mail.gmail.com%3E -
References () http://secunia.com/advisories/60079 - () http://secunia.com/advisories/60079 -
References () http://secunia.com/advisories/60432 - () http://secunia.com/advisories/60432 -
Information

Published : 2014-12-05 16:59

Updated : 2025-04-12 10:46

NVD link : CVE-2014-3627

Mitre link : CVE-2014-3627

CVE.ORG link : CVE-2014-3627

JSON object : View

Products Affected

apache

CWE
CWE-59

Improper Link Resolution Before File Access ('Link Following')