Vulnerability Description
In Apache Hadoop versions 2.6.1 to 2.6.5, 2.7.0 to 2.7.3, and 3.0.0-alpha1, if a file in an encryption zone with access permissions that make it world readable is localized via YARN's localization mechanism, that file will be stored in a world-readable location and can be shared freely with any application that requests to localize that file.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apache | Hadoop | 2.6.1 |
Related Weaknesses (CWE)
References
- https://lists.apache.org/thread.html/2e16689b44bdd1976b6368c143a4017fc7159d1f2d0
- https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b667
- https://lists.apache.org/thread.html/2e16689b44bdd1976b6368c143a4017fc7159d1f2d0
- https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b667
FAQ
What is CVE-2017-3166?
CVE-2017-3166 is a vulnerability with a CVSS score of 7.8 (HIGH). In Apache Hadoop versions 2.6.1 to 2.6.5, 2.7.0 to 2.7.3, and 3.0.0-alpha1, if a file in an encryption zone with access permissions that make it world readable is localized via YARN's localization mec...
How severe is CVE-2017-3166?
CVE-2017-3166 has been rated HIGH with a CVSS base score of 7.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2017-3166?
Check the references section above for vendor advisories and patch information. Affected products include: Apache Hadoop.