Vulnerability Details : CVE-2018-11765
In Apache Hadoop versions 3.0.0-alpha2 to 3.0.0, 2.9.0 to 2.9.2, 2.8.0 to 2.8.5, any users can access some servlets without authentication when Kerberos authentication is enabled and SPNEGO through HTTP is not enabled.
Vulnerability category: BypassGain privilege
Products affected by CVE-2018-11765
- cpe:2.3:a:apache:hadoop:*:*:*:*:*:*:*:*
- cpe:2.3:a:apache:hadoop:*:*:*:*:*:*:*:*
- cpe:2.3:a:apache:hadoop:3.0.0:alpha2:*:*:*:*:*:*
- cpe:2.3:a:apache:hadoop:3.0.0:-:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2018-11765
0.27%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 63 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2018-11765
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:N/A:N |
8.6
|
2.9
|
NIST | |
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
3.9
|
3.6
|
NIST |
CWE ids for CVE-2018-11765
-
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.Assigned by: nvd@nist.gov (Primary)
References for CVE-2018-11765
-
https://lists.apache.org/thread.html/r17d94d132b207dad221595fd8b8b18628f5f5ec7e3f5be939ecd8928@%3Ccommits.druid.apache.org%3E
[GitHub] [druid] jon-wei merged pull request #10485: Suppress CVE-2018-11765 for hadoop dependencies - Pony Mail
-
https://lists.apache.org/thread.html/reea5eb8622afbfbfca46bc758f79db83d90a3263a906c4d1acba4971@%3Ccommits.druid.apache.org%3E
[GitHub] [druid] jon-wei opened a new pull request #10492: [Backport] Suppress CVE-2018-11765 for hadoop dependencies (#10485) - Pony Mail
-
https://lists.apache.org/thread.html/r74825601e93582167eb7cdc2f764c74c9c6d8006fa90018562fda60f@%3Ccommits.druid.apache.org%3E
[GitHub] [druid] jon-wei merged pull request #10492: [Backport] Suppress CVE-2018-11765 for hadoop dependencies (#10485) - Pony Mail
-
https://lists.apache.org/thread.html/rb21df54a4e39732ce653d2aa5672e36a792b59eb6717f2a06bb8d02a@%3Ccommits.druid.apache.org%3E
[druid] branch 0.20.0 updated: Suppress CVE-2018-11765 for hadoop dependencies (#10485) (#10492) - Pony Mail
-
https://lists.apache.org/thread.html/r4dddf1705dbedfa94392913b2dad1cd2d1d89040facd389eea0b3510@%3Ccommits.druid.apache.org%3E
[druid] branch master updated: Suppress CVE-2018-11765 for hadoop dependencies (#10485) - Pony Mail
-
https://lists.apache.org/thread.html/r46447f38ea8c89421614e9efd7de5e656186d35e10fc97cf88477a01@%3Ccommits.druid.apache.org%3E
[GitHub] [druid] jon-wei merged pull request #10492: [Backport] Suppress CVE-2018-11765 for hadoop dependencies (#10485) - Pony Mail
-
https://lists.apache.org/thread.html/rbe25cac0f499374f8ae17a4a44a8404927b56de28d4c41940d82b7a4@%3Ccommits.druid.apache.org%3E
[GitHub] [druid] jon-wei opened a new pull request #10485: Suppress CVE-2018-11765 for hadoop dependencies - Pony Mail
-
https://lists.apache.org/thread.html/rf9dfa8b77585c9227db9637552eebb2ab029255a0db4eb76c2b6c4cf@%3Cdev.druid.apache.org%3E
[CANCEL][VOTE] Release Apache Druid 0.20.0 [RC1] - Pony Mail
-
https://lists.apache.org/thread.html/r2c7f899911a04164ed1707083fcd4135f8427e04778c87d83509b0da%40%3Cgeneral.hadoop.apache.org%3E
CVE-2018-11765: Potential information disclosure in Hadoop Web interfaces - Pony MailMailing List;Vendor Advisory
-
https://lists.apache.org/thread.html/rb241464d83baa3749b08cd3dabc8dba70a9a9027edcef3b5d4c24ef4@%3Ccommits.druid.apache.org%3E
Pony Mail!
-
https://security.netapp.com/advisory/ntap-20201016-0005/
CVE-2018-11765 Apache Hadoop Vulnerability in NetApp Products | NetApp Product Security
-
https://lists.apache.org/thread.html/r79b15c5b66c6df175d01d7560adf0cd5c369129b9a161905e0339927@%3Ccommits.druid.apache.org%3E
[GitHub] [druid] jon-wei merged pull request #10485: Suppress CVE-2018-11765 for hadoop dependencies - Pony Mail
Jump to