CVE-2018-11768
user/group information can be corrupted across storing in fsimage and reading back from fsimage
7.5
HIGH
CVSS 3.1
EPSS 1.3%
Description
In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.0-alpha to 2.8.4, the user/group information can be corrupted across storing in fsimage and reading back from fsimage.
How to fix CVE-2018-11768
To remediate CVE-2018-11768, upgrade the affected package to a fixed version below.
- —upgrade to 2.8.5 or later
Is CVE-2018-11768 being exploited?
Low — EPSS is 1.3%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- >= 2.2.0, < 2.8.5
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |
References (12)
- ADVISORYnvd.nist.gov/vuln/detail/CVE-2018-11768
- WEBhadoop.apache.org/cve_list.html
- WEBlists.apache.org/thread.html/2067a797b330530a6932f4b08f703b3173253d0a2b7c8c524e54adaf@%3Cgeneral.hadoop.apache.org%3E
- WEBlists.apache.org/thread.html/2c9cc65864be0058a5d5ed2025dfb9c700bf23d352b0c826c36ff96a@%3Chdfs-dev.hadoop.apache.org%3E