CVE-2017-3166

Published: Nov 13, 2017Modified: May 13, 2026

7.8

Vector

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 1.8 / Impact: 5.9

Source: NVD

Description

In Apache Hadoop versions 2.6.1 to 2.6.5, 2.7.0 to 2.7.3, and 3.0.0-alpha1, if a file in an encryption zone with access permissions that make it world readable is localized via YARN's localization mechanism, that file will be stored in a world-readable location and can be shared freely with any application that requests to localize that file.

Affected (10)

Products: Apache: Hadoop

Apache

1 product

Hadoop

Configuration A

10 vulnerable

Vulnerable Software	Affected Versions
Apache Hadoop	Version 2.6.1
Apache Hadoop	Version 2.6.2
Apache Hadoop	Version 2.6.3
Apache Hadoop	Version 2.6.4
Apache Hadoop	Version 2.6.5
Apache Hadoop	Version 2.7.0
Apache Hadoop	Version 2.7.1
Apache Hadoop	Version 2.7.2
Apache Hadoop	Version 2.7.3
Apache Hadoop	Version 3.0.0 alpha1

Related CWEs

CWE-732

Incorrect Permission Assignment for Critical Resource

The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.

References (4)

https://lists.apache.org/thread.html/2e16689b44bdd1976b6368c143a4017fc7159d1f2d02a5d54fe9310f%40%3Cgeneral.hadoop.apache.org%3E

Source: security@apache.org

https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe%40%3Ccommits.druid.apache.org%3E

Source: security@apache.org

https://lists.apache.org/thread.html/2e16689b44bdd1976b6368c143a4017fc7159d1f2d02a5d54fe9310f%40%3Cgeneral.hadoop.apache.org%3E

Source: af854a3a-2127-422b-91ae-364da2661108

https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe%40%3Ccommits.druid.apache.org%3E

Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.