hadooprelease-3.3.6-RC1: 7 vulnerabilities (highest severity is: 9.8)

Vulnerable Library - hadooprelease-3.3.6-RC1

Library home page: https://github.com/apache/hadoop.git

Vulnerable Source Files (2)

/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/utils/cJSON/cJSON.c /hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/utils/cJSON/cJSON.c

Vulnerabilities

CVE	Severity	CVSS	Exploit Maturity	EPSS	Dependency	Type	Fixed in (hadooprelease version)	Remediation Possible**
CVE-2021-37404	Critical	9.8	Not Defined	0.2%	hadooprelease-3.3.6-RC1	Direct	org.apache.hadoop:hadoop-hdfs-native-client:2.10.2,3.2.3,3.3.2	❌
CVE-2019-11835	Critical	9.8	Not Defined	0.6%	hadooprelease-3.3.6-RC1	Direct	v1.7.11	❌
CVE-2019-11834	Critical	9.8	Not Defined	0.6%	hadooprelease-3.3.6-RC1	Direct	v1.7.11	❌
CVE-2024-31755	High	7.6	Not Defined	0.0%	hadooprelease-3.3.6-RC1	Direct	7e4d5dabe7a9b754c601f214e65b544e67ba9f59	❌
CVE-2023-50472	High	7.5	Not Defined	0.1%	hadooprelease-3.3.6-RC1	Direct	N/A	❌
CVE-2023-50471	High	7.5	Not Defined	0.1%	hadooprelease-3.3.6-RC1	Direct	N/A	❌
CVE-2019-1010239	High	7.5	Not Defined	0.3%	hadooprelease-3.3.6-RC1	Direct	v1.7.9	❌

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2021-37404

### Vulnerable Library - hadooprelease-3.3.6-RC1

Library home page: https://github.com/apache/hadoop.git

Found in base branch: hubspot-3.3

### Vulnerable Source Files (1)

/hadoop-hdfs-project/hadoop-hdfs-native-client/src/main/native/libhdfs/hdfs.c

### Vulnerability Details

There is a potential heap buffer overflow in Apache Hadoop libhdfs native code. Opening a file path provided by user without validation may result in a denial of service or arbitrary code execution. Users should upgrade to Apache Hadoop 2.10.2, 3.2.3, 3.3.2 or higher.

Publish Date: 2022-06-13

URL: CVE-2021-37404

### Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.2%

### CVSS 3 Score Details (9.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://lists.apache.org/thread/2h56ztcj3ojc66qzf1nno88vjw9vd4wo

Release Date: 2022-06-13

Fix Resolution: org.apache.hadoop:hadoop-hdfs-native-client:2.10.2,3.2.3,3.3.2

CVE-2019-11835

### Vulnerable Library - hadooprelease-3.3.6-RC1

Library home page: https://github.com/apache/hadoop.git

Found in base branch: hubspot-3.3

### Vulnerable Source Files (2)

### Vulnerability Details

cJSON before 1.7.11 allows out-of-bounds access, related to multiline comments.

Publish Date: 2019-05-09

URL: CVE-2019-11835

### Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.6%

### CVSS 3 Score Details (9.8)

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11835

Release Date: 2019-05-09

Fix Resolution: v1.7.11

CVE-2019-11834

### Vulnerable Library - hadooprelease-3.3.6-RC1

Library home page: https://github.com/apache/hadoop.git

Found in base branch: hubspot-3.3

### Vulnerable Source Files (2)

### Vulnerability Details

cJSON before 1.7.11 allows out-of-bounds access, related to \x00 in a string literal.

Publish Date: 2019-05-09

URL: CVE-2019-11834

### Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.6%

### CVSS 3 Score Details (9.8)

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11835

Release Date: 2019-05-09

Fix Resolution: v1.7.11

CVE-2024-31755

### Vulnerable Library - hadooprelease-3.3.6-RC1

Library home page: https://github.com/apache/hadoop.git

Found in base branch: hubspot-3.3

### Vulnerable Source Files (2)

### Vulnerability Details

cJSON v1.7.17 was discovered to contain a segmentation violation, which can trigger through the second parameter of function cJSON_SetValuestring at cJSON.c.

Publish Date: 2024-04-26

URL: CVE-2024-31755

### Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.0%

### CVSS 3 Score Details (7.6)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Release Date: 2024-04-26

Fix Resolution: 7e4d5dabe7a9b754c601f214e65b544e67ba9f59

CVE-2023-50472

### Vulnerable Library - hadooprelease-3.3.6-RC1

Library home page: https://github.com/apache/hadoop.git

Found in base branch: hubspot-3.3

### Vulnerable Source Files (2)

### Vulnerability Details

cJSON v1.7.16 was discovered to contain a segmentation violation via the function cJSON_SetValuestring at cJSON.c.

Publish Date: 2023-12-14

URL: CVE-2023-50472

### Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.1%

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

CVE-2023-50471

### Vulnerable Library - hadooprelease-3.3.6-RC1

Library home page: https://github.com/apache/hadoop.git

Found in base branch: hubspot-3.3

### Vulnerable Source Files (2)

### Vulnerability Details

cJSON v1.7.16 was discovered to contain a segmentation violation via the function cJSON_InsertItemInArray at cJSON.c.

Publish Date: 2023-12-14

URL: CVE-2023-50471

### Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.1%

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

CVE-2019-1010239

### Vulnerable Library - hadooprelease-3.3.6-RC1

Library home page: https://github.com/apache/hadoop.git

Found in base branch: hubspot-3.3

### Vulnerable Source Files (2)

### Vulnerability Details

DaveGamble/cJSON cJSON 1.7.8 is affected by: Improper Check for Unusual or Exceptional Conditions. The impact is: Null dereference, so attack can cause denial of service. The component is: cJSON_GetObjectItemCaseSensitive() function. The attack vector is: crafted json file. The fixed version is: 1.7.9 and later.

Publish Date: 2019-07-19

URL: CVE-2019-1010239

### Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.3%

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1010239

Release Date: 2019-07-19

Fix Resolution: v1.7.9

jgeraigery / hadoop-555665675

hadooprelease-3.3.6-RC1: 7 vulnerabilities (highest severity is: 9.8) #89

Vulnerabilities

Details