CVE-2018-1296: Infoleak
First published: Thu Feb 07 2019(Updated: )
In Apache Hadoop 3.0.0-alpha1 to 3.0.0, 2.9.0, 2.8.0 to 2.8.3, and 2.5.0 to 2.7.5, HDFS exposes extended attribute key/value pairs during listXAttrs, verifying only path-level search access to the directory rather than path-level read permission to the referent.
Credit: security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Apache Hadoop | >=2.5.0<=2.7.5 | |
| Apache Hadoop | =2.8.0 | |
| Apache Hadoop | =2.8.1 | |
| Apache Hadoop | =2.8.2 | |
| Apache Hadoop | =2.8.3 | |
| Apache Hadoop | =2.9.0 | |
| Apache Hadoop | =3.0.0 | |
| Apache Hadoop | =3.0.0-alpha1 | |
| Apache Hadoop | =3.0.0-alpha2 | |
| Apache Hadoop | =3.0.0-alpha3 | |
| Apache Hadoop | =3.0.0-alpha4 | |
| Apache Hadoop | =3.0.0-beta1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2018-1296?
CVE-2018-1296 is a vulnerability in Apache Hadoop that allows unauthorized access to extended attribute key/value pairs.
Which versions of Apache Hadoop are affected by CVE-2018-1296?
Apache Hadoop versions 3.0.0-alpha1 to 3.0.0, 2.9.0, 2.8.0 to 2.8.3, and 2.5.0 to 2.7.5 are affected by CVE-2018-1296.
What is the severity of CVE-2018-1296?
CVE-2018-1296 has a severity value of 7.5, indicating a high severity.
How can I fix CVE-2018-1296?
To fix CVE-2018-1296, upgrade to a patched version of Apache Hadoop.
Where can I find more information about CVE-2018-1296?
More information about CVE-2018-1296 can be found at the following references: [http://www.securityfocus.com/bid/106764](http://www.securityfocus.com/bid/106764) and [https://lists.apache.org/thread.html/a5b15bc76fbdad2ee40761aacf954a13aeef67e305f86d483f267e8e@%3Cuser.hadoop.apache.org%3E](https://lists.apache.org/thread.html/a5b15bc76fbdad2ee40761aacf954a13aeef67e305f86d483f267e8e@%3Cuser.hadoop.apache.org%3E)
- collector/nvd-index
- vendor/apache
- canonical/apache hadoop
- version/apache hadoop/2.5.0
- version/apache hadoop/2.7.5
- version/apache hadoop/2.8.0
- version/apache hadoop/2.8.1
- version/apache hadoop/2.8.2
- version/apache hadoop/2.8.3
- version/apache hadoop/2.9.0
- version/apache hadoop/3.0.0
- version/apache hadoop/3.0.0-alpha1
- version/apache hadoop/3.0.0-alpha2
- version/apache hadoop/3.0.0-alpha3
- version/apache hadoop/3.0.0-alpha4
- version/apache hadoop/3.0.0-beta1