CVE-2018-8029 (High) detected in hadoop-common-2.7.7.jar

[mend-for-github-com]

CVE-2018-8029 - High Severity Vulnerability

Vulnerable Library - hadoop-common-2.7.7.jar

Apache Hadoop Common

Path to dependency file: /ranger-hbase-plugin-shim/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/hadoop/hadoop-common/2.7.7/hadoop-common-2.7.7.jar

Dependency Hierarchy:

• hbase-server-2.0.2.jar (Root Library)
  • ❌ hadoop-common-2.7.7.jar (Vulnerable Library)

Found in HEAD commit: 3d8c1142c5739a45e8e562215c8c83915a44ee6c

Found in base branch: master

Vulnerability Details

In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.8.4, a user who can escalate to yarn user can possibly run arbitrary commands as root user.

Publish Date: 2019-05-30

URL: CVE-2018-8029

CVSS 3 Score Details (8.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8029

Release Date: 2019-05-30

Fix Resolution (org.apache.hadoop:hadoop-common): 2.8.5

Direct dependency fix Resolution (org.apache.hbase:hbase-server): 2.0.3

---

⛑️ Automatic Remediation is available for this issue