CVE-2018-11766

HIGH8.8EPSS 0.49%

Arbitrary Command Execution in Hadoop

Published: 12/21/2018Modified: 12/2/2024

Description

In Apache Hadoop 2.7.4 to 2.7.6, the security fix for CVE-2016-6811 is incomplete. A user who can escalate to yarn user can possibly run arbitrary commands as root user.

Affected packages (1)

Maven/org.apache.hadoop:hadoop-main>= 2.7.4, < 2.7.7

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.8	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References (4)

ADVISORYhttps://github.com/advisories/GHSA-rqj9-cq6j-958r
ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2018-11766
WEBhttps://lists.apache.org/thread.html/ff37bbbe09d5f03090e2dd2c3dea95de16ef4249e731f19b8959ce4c@%3Cgeneral.hadoop.apache.org%3E
WEBhttp://www.securityfocus.com/bid/106035