Django REST framework

Lookup for vulnerable packages by Package URL.

Purl pkg:maven/org.apache.hadoop/hadoop-yarn-server-nodemanager@3.3.4

Type maven

Namespace org.apache.hadoop

Name hadoop-yarn-server-nodemanager

Version 3.3.4

Qualifiers

Subpath

Is_vulnerable true

Next_non_vulnerable_version 3.3.5

Latest_non_vulnerable_version 3.3.5

Affected_by_vulnerabilities

url VCID-q8gj-qdrr-j7cb

vulnerability_id VCID-q8gj-qdrr-j7cb

summary

Untrusted Search Path
Relative library resolution in linux container-executor binary in Apache Hadoop 3.3.1-3.3.4 on Linux allows local user to gain root privileges. If the YARN cluster is accepting work from remote (authenticated) users, this MAY permit remote users to gain root privileges.

Hadoop 3.3.0 updated the " YARN Secure Containers https://hadoop.apache.org/docs/stable/hadoop-yarn/hadoop-yarn-site/SecureContainer.html " to add a feature for executing user-submitted applications in isolated linux containers.

The native binary HADOOP_HOME/bin/container-executor is used to launch these containers; it must be owned by root and have the suid bit set in order for the YARN processes to run the containers as the specific users submitting the jobs.

The patch " YARN-10495 https://issues.apache.org/jira/browse/YARN-10495 . make the rpath of container-executor configurable" modified the library loading path for loading .so files from "$ORIGIN/" to ""$ORIGIN/:../lib/native/". This is the a path through which libcrypto.so is located. Thus it is is possible for a user with reduced privileges to install a malicious libcrypto library into a path to which they have write access, invoke the container-executor command, and have their modified library executed as root.
If the YARN cluster is accepting work from remote (authenticated) users, and these users' submitted job are executed in the physical host, rather than a container, then the CVE permits remote users to gain root privileges.

The fix for the vulnerability is to revert the change, which is done in YARN-11441 https://issues.apache.org/jira/browse/YARN-11441, "Revert YARN-10495". This patch is in hadoop-3.3.5.

To determine whether a version of container-executor is vulnerable, use the readelf command. If the RUNPATH or RPATH value contains the relative path "./lib/native/" then it is at risk

$ readelf -d container-executor|grep 'RUNPATH\|RPATH'
0x000000000000001d (RUNPATH) Library runpath: [$ORIGIN/:../lib/native/]

If it does not, then it is safe:

$ readelf -d container-executor|grep 'RUNPATH\|RPATH'
0x000000000000001d (RUNPATH) Library runpath: [$ORIGIN/]

For an at-risk version of container-executor to enable privilege escalation, the owner must be root and the suid bit must be set

$ ls -laF /opt/hadoop/bin/container-executor
---Sr-s---. 1 root hadoop 802968 May 9 20:21 /opt/hadoop/bin/container-executor

A safe installation lacks the suid bit; ideally is also not owned by root.

$ ls -laF /opt/hadoop/bin/container-executor
-rwxr-xr-x. 1 yarn hadoop 802968 May 9 20:21 /opt/hadoop/bin/container-executor

This configuration does not support Yarn Secure Containers, but all other hadoop services, including YARN job execution outside secure containers continue to work.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-26031.json

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-26031.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2023-26031

reference_id

reference_type

scores

value	0.08371
scoring_system	epss
scoring_elements	0.92325
published_at	2026-04-26T12:55:00Z

value	0.08371
scoring_system	epss
scoring_elements	0.92324
published_at	2026-04-24T12:55:00Z

value	0.08371
scoring_system	epss
scoring_elements	0.92318
published_at	2026-04-18T12:55:00Z

value	0.08371
scoring_system	epss
scoring_elements	0.92319
published_at	2026-04-21T12:55:00Z

value	0.08371
scoring_system	epss
scoring_elements	0.92309
published_at	2026-04-12T12:55:00Z

value	0.08371
scoring_system	epss
scoring_elements	0.92307
published_at	2026-04-13T12:55:00Z

value	0.09267
scoring_system	epss
scoring_elements	0.92749
published_at	2026-04-29T12:55:00Z

value	0.10443
scoring_system	epss
scoring_elements	0.93224
published_at	2026-04-09T12:55:00Z

value	0.10443
scoring_system	epss
scoring_elements	0.9322
published_at	2026-04-08T12:55:00Z

value	0.10443
scoring_system	epss
scoring_elements	0.93211
published_at	2026-04-07T12:55:00Z

value	0.10443
scoring_system	epss
scoring_elements	0.93213
published_at	2026-04-04T12:55:00Z

value	0.10443
scoring_system	epss
scoring_elements	0.93209
published_at	2026-04-02T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2023-26031

reference_url

https://github.com/apache/hadoop

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

value	7.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/apache/hadoop

reference_url

https://github.com/apache/hadoop/commit/10e7ca481c8cd0548d903d39d8581291e533bf12

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

value	7.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/apache/hadoop/commit/10e7ca481c8cd0548d903d39d8581291e533bf12

reference_url

https://github.com/apache/hadoop/commit/7d3c8ef6064efd132828765e52e961977aebbf47

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

value	7.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/apache/hadoop/commit/7d3c8ef6064efd132828765e52e961977aebbf47

reference_url

https://hadoop.apache.org/cve_list.html

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

value	7.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-07-19T03:55:27Z/

url

https://hadoop.apache.org/cve_list.html

reference_url

https://issues.apache.org/jira/browse/YARN-11441

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

value	7.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-07-19T03:55:27Z/

url

https://issues.apache.org/jira/browse/YARN-11441

reference_url

https://lists.apache.org/thread/q9qpdlv952gb4kphpndd5phvl7fkh71r

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

value	7.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-07-19T03:55:27Z/

url

https://lists.apache.org/thread/q9qpdlv952gb4kphpndd5phvl7fkh71r

reference_url

https://security.netapp.com/advisory/ntap-20240112-0001

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

value	7.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://security.netapp.com/advisory/ntap-20240112-0001

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2250137
reference_id	2250137
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2250137

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2023-26031

reference_id

CVE-2023-26031

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

value	7.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2023-26031

reference_url

https://github.com/advisories/GHSA-94jh-j374-9r3j

reference_id

GHSA-94jh-j374-9r3j

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-94jh-j374-9r3j

reference_url

https://security.netapp.com/advisory/ntap-20240112-0001/

reference_id

ntap-20240112-0001

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-07-19T03:55:27Z/

url

https://security.netapp.com/advisory/ntap-20240112-0001/

fixed_packages

url	pkg:maven/org.apache.hadoop/hadoop-yarn-server-nodemanager@3.3.5
purl	pkg:maven/org.apache.hadoop/hadoop-yarn-server-nodemanager@3.3.5
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.hadoop/hadoop-yarn-server-nodemanager@3.3.5

aliases CVE-2023-26031, GHSA-94jh-j374-9r3j

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-q8gj-qdrr-j7cb

Fixing_vulnerabilities

url VCID-r29h-hzhg-uyce

vulnerability_id VCID-r29h-hzhg-uyce

summary

Deserialization of Untrusted Data in Apache Hadoop YARN
ZKConfigurationStore which is optionally used by CapacityScheduler of Apache Hadoop YARN deserializes data obtained from ZooKeeper without validation. An attacker having access to ZooKeeper can run arbitrary commands as YARN user by exploiting this. Users should upgrade to Apache Hadoop 2.10.2, 3.2.4, 3.3.4 or later (containing YARN-11126) if ZKConfigurationStore is used.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-25642.json

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-25642.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2021-25642

reference_id

reference_type

scores

value	0.02702
scoring_system	epss
scoring_elements	0.85931
published_at	2026-04-29T12:55:00Z

value	0.02702
scoring_system	epss
scoring_elements	0.8585
published_at	2026-04-07T12:55:00Z

value	0.02702
scoring_system	epss
scoring_elements	0.85869
published_at	2026-04-08T12:55:00Z

value	0.02702
scoring_system	epss
scoring_elements	0.85879
published_at	2026-04-09T12:55:00Z

value	0.02702
scoring_system	epss
scoring_elements	0.85893
published_at	2026-04-11T12:55:00Z

value	0.02702
scoring_system	epss
scoring_elements	0.85891
published_at	2026-04-12T12:55:00Z

value	0.02702
scoring_system	epss
scoring_elements	0.85886
published_at	2026-04-13T12:55:00Z

value	0.02702
scoring_system	epss
scoring_elements	0.85904
published_at	2026-04-16T12:55:00Z

value	0.02702
scoring_system	epss
scoring_elements	0.85908
published_at	2026-04-18T12:55:00Z

value	0.02702
scoring_system	epss
scoring_elements	0.859
published_at	2026-04-21T12:55:00Z

value	0.02702
scoring_system	epss
scoring_elements	0.85921
published_at	2026-04-24T12:55:00Z

value	0.02702
scoring_system	epss
scoring_elements	0.8593
published_at	2026-04-26T12:55:00Z

value	0.02702
scoring_system	epss
scoring_elements	0.85817
published_at	2026-04-01T12:55:00Z

value	0.02702
scoring_system	epss
scoring_elements	0.85829
published_at	2026-04-02T12:55:00Z

value	0.02702
scoring_system	epss
scoring_elements	0.85846
published_at	2026-04-04T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2021-25642

reference_url

https://github.com/apache/hadoop

reference_id

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/apache/hadoop

reference_url

https://github.com/apache/hadoop/commit/5e2f4339fadc88f20543915fc9b0aaeaf4f9e7bf

reference_id

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/apache/hadoop/commit/5e2f4339fadc88f20543915fc9b0aaeaf4f9e7bf

reference_url

https://lists.apache.org/thread/g6vf2h4wdgzzdgk91mqozhs58wotq150

reference_id

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://lists.apache.org/thread/g6vf2h4wdgzzdgk91mqozhs58wotq150

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2021-25642

reference_id

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2021-25642

reference_url

https://security.netapp.com/advisory/ntap-20221201-0003

reference_id

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://security.netapp.com/advisory/ntap-20221201-0003

reference_url	https://security.netapp.com/advisory/ntap-20221201-0003/
reference_id
reference_type
scores
url	https://security.netapp.com/advisory/ntap-20221201-0003/

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2127281
reference_id	2127281
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2127281

reference_url

https://github.com/advisories/GHSA-rr2m-gffv-mgrj

reference_id

GHSA-rr2m-gffv-mgrj

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-rr2m-gffv-mgrj

fixed_packages

url	pkg:maven/org.apache.hadoop/hadoop-yarn-server-nodemanager@2.10.2
purl	pkg:maven/org.apache.hadoop/hadoop-yarn-server-nodemanager@2.10.2
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.hadoop/hadoop-yarn-server-nodemanager@2.10.2

url	pkg:maven/org.apache.hadoop/hadoop-yarn-server-nodemanager@3.2.4
purl	pkg:maven/org.apache.hadoop/hadoop-yarn-server-nodemanager@3.2.4
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.hadoop/hadoop-yarn-server-nodemanager@3.2.4

url pkg:maven/org.apache.hadoop/hadoop-yarn-server-nodemanager@3.3.4

purl pkg:maven/org.apache.hadoop/hadoop-yarn-server-nodemanager@3.3.4

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-q8gj-qdrr-j7cb

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.hadoop/hadoop-yarn-server-nodemanager@3.3.4

aliases CVE-2021-25642, GHSA-rr2m-gffv-mgrj

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-r29h-hzhg-uyce

Risk_score 4.0

Resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.hadoop/hadoop-yarn-server-nodemanager@3.3.4

Package Instance