Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.hadoop/hadoop-common/2.7.5/6c480e12f6a9659d3cfad33f6edcd2e7f2d988c4/hadoop-common-2.7.5.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.hadoop/hadoop-common/2.7.5/6c480e12f6a9659d3cfad33f6edcd2e7f2d988c4/hadoop-common-2.7.5.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.hadoop/hadoop-common/2.7.5/6c480e12f6a9659d3cfad33f6edcd2e7f2d988c4/hadoop-common-2.7.5.jar
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.hadoop/hadoop-common/2.7.5/6c480e12f6a9659d3cfad33f6edcd2e7f2d988c4/hadoop-common-2.7.5.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.hadoop/hadoop-common/2.7.5/6c480e12f6a9659d3cfad33f6edcd2e7f2d988c4/hadoop-common-2.7.5.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.hadoop/hadoop-common/2.7.5/6c480e12f6a9659d3cfad33f6edcd2e7f2d988c4/hadoop-common-2.7.5.jar
In Apache Hadoop, The unTar function uses unTarUsingJava function on Windows and the built-in tar utility on Unix and other OSes. As a result, a TAR entry may create a symlink under the expected extraction directory which points to an external directory. A subsequent TAR entry may extract an arbitrary file into the external directory using the symlink name. This however would be caught by the same targetDirPath check on Unix because of the getCanonicalPath call. However on Windows, getCanonicalPath doesn't resolve symbolic links, which bypasses the check. unpackEntries during TAR extraction follows symbolic links which allows writing outside expected base directory on Windows. This was addressed in Apache Hadoop 3.2.3
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2022-25168
### Vulnerable Library - hadoop-common-2.7.5.jar
Apache Hadoop Common
Path to dependency file: /piglet/build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.hadoop/hadoop-common/2.7.5/6c480e12f6a9659d3cfad33f6edcd2e7f2d988c4/hadoop-common-2.7.5.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.hadoop/hadoop-common/2.7.5/6c480e12f6a9659d3cfad33f6edcd2e7f2d988c4/hadoop-common-2.7.5.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.hadoop/hadoop-common/2.7.5/6c480e12f6a9659d3cfad33f6edcd2e7f2d988c4/hadoop-common-2.7.5.jar
Apache Hadoop's FileUtil.unTar(File, File) API does not escape the input file name before being passed to the shell. An attacker can inject arbitrary commands. This is only used in Hadoop 3.3 InMemoryAliasMap.completeBootstrapTransfer, which is only ever run by a local user. It has been used in Hadoop 2.x for yarn localization, which does enable remote code execution. It is used in Apache Spark, from the SQL command ADD ARCHIVE. As the ADD ARCHIVE command adds new binaries to the classpath, being able to execute shell scripts does not confer new permissions to the caller. SPARK-38305. "Check existence of file before untarring/zipping", which is included in 3.3.0, 3.1.4, 3.2.2, prevents shell commands being executed, regardless of which version of the hadoop libraries are in use. Users should upgrade to Apache Hadoop 2.10.2, 3.2.4, 3.3.3 or upper (including HADOOP-18136).
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2018-8029
### Vulnerable Library - hadoop-common-2.7.5.jar
Apache Hadoop Common
Path to dependency file: /piglet/build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.hadoop/hadoop-common/2.7.5/6c480e12f6a9659d3cfad33f6edcd2e7f2d988c4/hadoop-common-2.7.5.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.hadoop/hadoop-common/2.7.5/6c480e12f6a9659d3cfad33f6edcd2e7f2d988c4/hadoop-common-2.7.5.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.hadoop/hadoop-common/2.7.5/6c480e12f6a9659d3cfad33f6edcd2e7f2d988c4/hadoop-common-2.7.5.jar
In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.8.4, a user who can escalate to yarn user can possibly run arbitrary commands as root user.
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2018-11766
### Vulnerable Library - hadoop-common-2.7.5.jar
Apache Hadoop Common
Path to dependency file: /piglet/build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.hadoop/hadoop-common/2.7.5/6c480e12f6a9659d3cfad33f6edcd2e7f2d988c4/hadoop-common-2.7.5.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.hadoop/hadoop-common/2.7.5/6c480e12f6a9659d3cfad33f6edcd2e7f2d988c4/hadoop-common-2.7.5.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.hadoop/hadoop-common/2.7.5/6c480e12f6a9659d3cfad33f6edcd2e7f2d988c4/hadoop-common-2.7.5.jar
In Apache Hadoop 2.7.4 to 2.7.6, the security fix for CVE-2016-6811 is incomplete. A user who can escalate to yarn user can possibly run arbitrary commands as root user.
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
WS-2016-7071
### Vulnerable Library - hadoop-common-2.7.5.jar
Apache Hadoop Common
Path to dependency file: /piglet/build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.hadoop/hadoop-common/2.7.5/6c480e12f6a9659d3cfad33f6edcd2e7f2d988c4/hadoop-common-2.7.5.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.hadoop/hadoop-common/2.7.5/6c480e12f6a9659d3cfad33f6edcd2e7f2d988c4/hadoop-common-2.7.5.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.hadoop/hadoop-common/2.7.5/6c480e12f6a9659d3cfad33f6edcd2e7f2d988c4/hadoop-common-2.7.5.jar
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
### Suggested Fix
Type: Upgrade version
Release Date: 2016-02-18
Fix Resolution: 2.8.0
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2017-15713
### Vulnerable Library - hadoop-common-2.7.5.jar
Apache Hadoop Common
Path to dependency file: /piglet/build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.hadoop/hadoop-common/2.7.5/6c480e12f6a9659d3cfad33f6edcd2e7f2d988c4/hadoop-common-2.7.5.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.hadoop/hadoop-common/2.7.5/6c480e12f6a9659d3cfad33f6edcd2e7f2d988c4/hadoop-common-2.7.5.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.hadoop/hadoop-common/2.7.5/6c480e12f6a9659d3cfad33f6edcd2e7f2d988c4/hadoop-common-2.7.5.jar
Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and 3.0.0-alpha through 3.0.0-beta1 allows a cluster user to expose private files owned by the user running the MapReduce job history server process. The malicious user can construct a configuration file containing XML directives that reference sensitive files on the MapReduce job history server host.
Apache Hadoop Common
Path to dependency file: /piglet/build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.hadoop/hadoop-common/2.7.5/6c480e12f6a9659d3cfad33f6edcd2e7f2d988c4/hadoop-common-2.7.5.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.hadoop/hadoop-common/2.7.5/6c480e12f6a9659d3cfad33f6edcd2e7f2d988c4/hadoop-common-2.7.5.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.hadoop/hadoop-common/2.7.5/6c480e12f6a9659d3cfad33f6edcd2e7f2d988c4/hadoop-common-2.7.5.jar
Found in HEAD commit: f6d2dad5acc2cc4171db53e59d2389ab0005f9ff
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2022-26612
### Vulnerable Library - hadoop-common-2.7.5.jarApache Hadoop Common
Path to dependency file: /piglet/build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.hadoop/hadoop-common/2.7.5/6c480e12f6a9659d3cfad33f6edcd2e7f2d988c4/hadoop-common-2.7.5.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.hadoop/hadoop-common/2.7.5/6c480e12f6a9659d3cfad33f6edcd2e7f2d988c4/hadoop-common-2.7.5.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.hadoop/hadoop-common/2.7.5/6c480e12f6a9659d3cfad33f6edcd2e7f2d988c4/hadoop-common-2.7.5.jar
Dependency Hierarchy: - :x: **hadoop-common-2.7.5.jar** (Vulnerable Library)
Found in HEAD commit: f6d2dad5acc2cc4171db53e59d2389ab0005f9ff
Found in base branch: main
### Vulnerability DetailsIn Apache Hadoop, The unTar function uses unTarUsingJava function on Windows and the built-in tar utility on Unix and other OSes. As a result, a TAR entry may create a symlink under the expected extraction directory which points to an external directory. A subsequent TAR entry may extract an arbitrary file into the external directory using the symlink name. This however would be caught by the same targetDirPath check on Unix because of the getCanonicalPath call. However on Windows, getCanonicalPath doesn't resolve symbolic links, which bypasses the check. unpackEntries during TAR extraction follows symbolic links which allows writing outside expected base directory on Windows. This was addressed in Apache Hadoop 3.2.3
Publish Date: 2022-04-07
URL: CVE-2022-26612
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2022-26612
Release Date: 2022-04-07
Fix Resolution: org.apache.hadoop:hadoop-common:3.2.3
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2022-25168
### Vulnerable Library - hadoop-common-2.7.5.jarApache Hadoop Common
Path to dependency file: /piglet/build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.hadoop/hadoop-common/2.7.5/6c480e12f6a9659d3cfad33f6edcd2e7f2d988c4/hadoop-common-2.7.5.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.hadoop/hadoop-common/2.7.5/6c480e12f6a9659d3cfad33f6edcd2e7f2d988c4/hadoop-common-2.7.5.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.hadoop/hadoop-common/2.7.5/6c480e12f6a9659d3cfad33f6edcd2e7f2d988c4/hadoop-common-2.7.5.jar
Dependency Hierarchy: - :x: **hadoop-common-2.7.5.jar** (Vulnerable Library)
Found in HEAD commit: f6d2dad5acc2cc4171db53e59d2389ab0005f9ff
Found in base branch: main
### Vulnerability DetailsApache Hadoop's FileUtil.unTar(File, File) API does not escape the input file name before being passed to the shell. An attacker can inject arbitrary commands. This is only used in Hadoop 3.3 InMemoryAliasMap.completeBootstrapTransfer, which is only ever run by a local user. It has been used in Hadoop 2.x for yarn localization, which does enable remote code execution. It is used in Apache Spark, from the SQL command ADD ARCHIVE. As the ADD ARCHIVE command adds new binaries to the classpath, being able to execute shell scripts does not confer new permissions to the caller. SPARK-38305. "Check existence of file before untarring/zipping", which is included in 3.3.0, 3.1.4, 3.2.2, prevents shell commands being executed, regardless of which version of the hadoop libraries are in use. Users should upgrade to Apache Hadoop 2.10.2, 3.2.4, 3.3.3 or upper (including HADOOP-18136).
Publish Date: 2022-08-04
URL: CVE-2022-25168
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://lists.apache.org/thread/mxqnb39jfrwgs3j6phwvlrfq4mlox130
Release Date: 2022-08-04
Fix Resolution: 2.10.2
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2018-8029
### Vulnerable Library - hadoop-common-2.7.5.jarApache Hadoop Common
Path to dependency file: /piglet/build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.hadoop/hadoop-common/2.7.5/6c480e12f6a9659d3cfad33f6edcd2e7f2d988c4/hadoop-common-2.7.5.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.hadoop/hadoop-common/2.7.5/6c480e12f6a9659d3cfad33f6edcd2e7f2d988c4/hadoop-common-2.7.5.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.hadoop/hadoop-common/2.7.5/6c480e12f6a9659d3cfad33f6edcd2e7f2d988c4/hadoop-common-2.7.5.jar
Dependency Hierarchy: - :x: **hadoop-common-2.7.5.jar** (Vulnerable Library)
Found in HEAD commit: f6d2dad5acc2cc4171db53e59d2389ab0005f9ff
Found in base branch: main
### Vulnerability DetailsIn Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.8.4, a user who can escalate to yarn user can possibly run arbitrary commands as root user.
Publish Date: 2019-05-30
URL: CVE-2018-8029
### CVSS 3 Score Details (8.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8029
Release Date: 2019-05-30
Fix Resolution: 2.8.5
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2018-11766
### Vulnerable Library - hadoop-common-2.7.5.jarApache Hadoop Common
Path to dependency file: /piglet/build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.hadoop/hadoop-common/2.7.5/6c480e12f6a9659d3cfad33f6edcd2e7f2d988c4/hadoop-common-2.7.5.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.hadoop/hadoop-common/2.7.5/6c480e12f6a9659d3cfad33f6edcd2e7f2d988c4/hadoop-common-2.7.5.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.hadoop/hadoop-common/2.7.5/6c480e12f6a9659d3cfad33f6edcd2e7f2d988c4/hadoop-common-2.7.5.jar
Dependency Hierarchy: - :x: **hadoop-common-2.7.5.jar** (Vulnerable Library)
Found in HEAD commit: f6d2dad5acc2cc4171db53e59d2389ab0005f9ff
Found in base branch: main
### Vulnerability DetailsIn Apache Hadoop 2.7.4 to 2.7.6, the security fix for CVE-2016-6811 is incomplete. A user who can escalate to yarn user can possibly run arbitrary commands as root user.
Publish Date: 2018-11-27
URL: CVE-2018-11766
### CVSS 3 Score Details (8.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://lists.apache.org/thread.html/ff37bbbe09d5f03090e2dd2c3dea95de16ef4249e731f19b8959ce4c@%3Cgeneral.hadoop.apache.org%3E
Release Date: 2018-11-27
Fix Resolution: 2.7.7
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
WS-2016-7071
### Vulnerable Library - hadoop-common-2.7.5.jarApache Hadoop Common
Path to dependency file: /piglet/build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.hadoop/hadoop-common/2.7.5/6c480e12f6a9659d3cfad33f6edcd2e7f2d988c4/hadoop-common-2.7.5.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.hadoop/hadoop-common/2.7.5/6c480e12f6a9659d3cfad33f6edcd2e7f2d988c4/hadoop-common-2.7.5.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.hadoop/hadoop-common/2.7.5/6c480e12f6a9659d3cfad33f6edcd2e7f2d988c4/hadoop-common-2.7.5.jar
Dependency Hierarchy: - :x: **hadoop-common-2.7.5.jar** (Vulnerable Library)
Found in HEAD commit: f6d2dad5acc2cc4171db53e59d2389ab0005f9ff
Found in base branch: main
### Vulnerability DetailsApache Hadoop versions 2.7.2 to 2.7.7 are vulnerable to Cross-Site Request Forgery that targets HTTP requests to “NameNode” and “DataNode”.
Publish Date: 2016-02-18
URL: WS-2016-7071
### CVSS 3 Score Details (7.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: Low - User Interaction: None - Scope: Changed - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: Low
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2016-02-18
Fix Resolution: 2.8.0
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2017-15713
### Vulnerable Library - hadoop-common-2.7.5.jarApache Hadoop Common
Path to dependency file: /piglet/build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.hadoop/hadoop-common/2.7.5/6c480e12f6a9659d3cfad33f6edcd2e7f2d988c4/hadoop-common-2.7.5.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.hadoop/hadoop-common/2.7.5/6c480e12f6a9659d3cfad33f6edcd2e7f2d988c4/hadoop-common-2.7.5.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.hadoop/hadoop-common/2.7.5/6c480e12f6a9659d3cfad33f6edcd2e7f2d988c4/hadoop-common-2.7.5.jar
Dependency Hierarchy: - :x: **hadoop-common-2.7.5.jar** (Vulnerable Library)
Found in HEAD commit: f6d2dad5acc2cc4171db53e59d2389ab0005f9ff
Found in base branch: main
### Vulnerability DetailsVulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and 3.0.0-alpha through 3.0.0-beta1 allows a cluster user to expose private files owned by the user running the MapReduce job history server process. The malicious user can construct a configuration file containing XML directives that reference sensitive files on the MapReduce job history server host.
Publish Date: 2018-01-19
URL: CVE-2017-15713
### CVSS 3 Score Details (6.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://lists.apache.org/thread.html/a790a251ace7213bde9f69777dedb453b1a01a6d18289c14a61d4f91@%3Cgeneral.hadoop.apache.org%3E
Release Date: 2018-01-19
Fix Resolution: 2.8.3
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.:rescue_worker_helmet:Automatic Remediation will be attempted for this issue.