CVE-2016-5001

Summary

This is an information disclosure vulnerability in Apache Hadoop before 2.6.4 and 2.7.x before 2.7.2 in the short-circuit reads feature of HDFS. A local user on an HDFS DataNode may be able to craft a block token that grants unauthorized read access to random files by guessing certain fields in the token.

Affected Software

VendorProductVersion RangeStatus
Apache Software FoundationApache Hadoop2.1.0 to 2.6.3affected
Apache Software FoundationApache Hadoop2.7.0 to 2.7.1affected

Weaknesses

  • Information Disclosure

ADP Enrichment

CVE Program Container

Additional References

References