CVE-2018-11765
Improper Authentication in Apache Hadoop
7.5
HIGH
CVSS 3.1
EPSS 1.1%
Description
In Apache Hadoop versions 3.0.0-alpha2 to 3.0.0, 2.9.0 to 2.9.2, 2.8.0 to 2.8.5, any users can access some servlets without authentication when Kerberos authentication is enabled and SPNEGO through HTTP is not enabled.
How to fix CVE-2018-11765
To remediate CVE-2018-11765, upgrade the affected package to a fixed version below.
- Maven/org.apache.hadoop:hadoop-main—upgrade to 3.0.1 or later
Is CVE-2018-11765 being exploited?
Low — EPSS is 1.1%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- >= 3.0.0-alpha2, < 3.0.1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |