VulnerableCode Package Details - pkg:maven/org.apache.hadoop/hadoop-main@3.1.0

Search for packages

Vulnerability	Summary	Fixed by
VCID-1xbr-pekw-ukcn Aliases: CVE-2020-9492 GHSA-f8vc-wfc8-hxqh	Incorrect Authorization In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.0, WebHDFS client might send SPNEGO authorization header to remote URL without proper verification.	3.1.4 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 3.2.2 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-6fnh-mjwd-9qee Aliases: CVE-2018-8029 GHSA-37pw-qw47-4jxm	Privilege escalation A user who can escalate to yarn user can possibly run arbitrary commands as root user.	3.1.1 Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-a8xd-ukj7-tqbk Aliases: CVE-2022-25168 GHSA-8wm5-8h9c-47pc	Apache Hadoop argument injection vulnerability Apache Hadoop's `FileUtil.unTar(File, File)` API does not escape the input file name before being passed to the shell. An attacker can inject arbitrary commands. This is only used in Hadoop 3.3 InMemoryAliasMap.completeBootstrapTransfer, which is only ever run by a local user. It has been used in Hadoop 2.x for yarn localization, which does enable remote code execution. It is used in Apache Spark, from the SQL command ADD ARCHIVE. As the ADD ARCHIVE command adds new binaries to the classpath, being able to execute shell scripts does not confer new permissions to the caller. SPARK-38305. "Check existence of file before untarring/zipping", which is included in 3.3.0, 3.1.4, 3.2.2, prevents shell commands being executed, regardless of which version of the hadoop libraries are in use. Users should upgrade to Apache Hadoop 2.10.2, 3.2.4, 3.3.3 or upper (including HADOOP-18136).	3.2.4 Affected by 0 other vulnerabilities. 3.3.3 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-jxf7-btpn-xyax Aliases: CVE-2018-11768 GHSA-hx83-rpqf-m267	In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.0-alpha to 2.8.4, the user/group information can be corrupted across storing in fsimage and reading back from fsimage.	3.1.1 Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 3.1.2 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-p5ab-z4u4-akcv Aliases: CVE-2018-8009 GHSA-6x48-j4x4-cqw3	Apache Hadoop 3.1.0, 3.0.0-alpha to 3.0.2, 2.9.0 to 2.9.1, 2.8.0 to 2.8.4, 2.0.0-alpha to 2.7.6, 0.23.0 to 0.23.11 is exploitable via the zip slip vulnerability in places that accept a zip file.	3.1.1 Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-1xbr-pekw-ukcn
Aliases:
CVE-2020-9492
GHSA-f8vc-wfc8-hxqh

Incorrect Authorization In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.0, WebHDFS client might send SPNEGO authorization header to remote URL without proper verification.

3.1.4
Affected by 1 other vulnerability.

3.2.2
Affected by 1 other vulnerability.

VCID-6fnh-mjwd-9qee
Aliases:
CVE-2018-8029
GHSA-37pw-qw47-4jxm

Privilege escalation A user who can escalate to yarn user can possibly run arbitrary commands as root user.

3.1.1
Affected by 3 other vulnerabilities.

VCID-a8xd-ukj7-tqbk
Aliases:
CVE-2022-25168
GHSA-8wm5-8h9c-47pc

Apache Hadoop argument injection vulnerability Apache Hadoop's `FileUtil.unTar(File, File)` API does not escape the input file name before being passed to the shell. An attacker can inject arbitrary commands. This is only used in Hadoop 3.3 InMemoryAliasMap.completeBootstrapTransfer, which is only ever run by a local user. It has been used in Hadoop 2.x for yarn localization, which does enable remote code execution. It is used in Apache Spark, from the SQL command ADD ARCHIVE. As the ADD ARCHIVE command adds new binaries to the classpath, being able to execute shell scripts does not confer new permissions to the caller. SPARK-38305. "Check existence of file before untarring/zipping", which is included in 3.3.0, 3.1.4, 3.2.2, prevents shell commands being executed, regardless of which version of the hadoop libraries are in use. Users should upgrade to Apache Hadoop 2.10.2, 3.2.4, 3.3.3 or upper (including HADOOP-18136).

3.2.4
Affected by 0 other vulnerabilities.

3.3.3
Affected by 1 other vulnerability.

VCID-jxf7-btpn-xyax
Aliases:
CVE-2018-11768
GHSA-hx83-rpqf-m267

In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.0-alpha to 2.8.4, the user/group information can be corrupted across storing in fsimage and reading back from fsimage.

3.1.1
Affected by 3 other vulnerabilities.

3.1.2
Affected by 2 other vulnerabilities.

VCID-p5ab-z4u4-akcv
Aliases:
CVE-2018-8009
GHSA-6x48-j4x4-cqw3

Apache Hadoop 3.1.0, 3.0.0-alpha to 3.0.2, 2.9.0 to 2.9.1, 2.8.0 to 2.8.4, 2.0.0-alpha to 2.7.6, 0.23.0 to 0.23.11 is exploitable via the zip slip vulnerability in places that accept a zip file.

3.1.1
Affected by 3 other vulnerabilities.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-16T22:06:45.449361+00:00	GitLab Importer	Affected by	VCID-a8xd-ukj7-tqbk	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.hadoop/hadoop-main/CVE-2022-25168.yml	38.4.0
2026-04-16T21:16:18.387512+00:00	GitLab Importer	Affected by	VCID-1xbr-pekw-ukcn	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.hadoop/hadoop-main/CVE-2020-9492.yml	38.4.0
2026-04-16T20:57:41.511366+00:00	GitLab Importer	Affected by	VCID-jxf7-btpn-xyax	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.hadoop/hadoop-main/CVE-2018-11768.yml	38.4.0
2026-04-16T20:54:51.578813+00:00	GitLab Importer	Affected by	VCID-6fnh-mjwd-9qee	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.hadoop/hadoop-main/CVE-2018-8029.yml	38.4.0
2026-04-11T23:22:59.516452+00:00	GitLab Importer	Affected by	VCID-a8xd-ukj7-tqbk	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.hadoop/hadoop-main/CVE-2022-25168.yml	38.3.0
2026-04-11T22:28:25.988946+00:00	GitLab Importer	Affected by	VCID-1xbr-pekw-ukcn	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.hadoop/hadoop-main/CVE-2020-9492.yml	38.3.0
2026-04-11T22:08:46.822714+00:00	GitLab Importer	Affected by	VCID-jxf7-btpn-xyax	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.hadoop/hadoop-main/CVE-2018-11768.yml	38.3.0
2026-04-11T22:05:51.181755+00:00	GitLab Importer	Affected by	VCID-6fnh-mjwd-9qee	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.hadoop/hadoop-main/CVE-2018-8029.yml	38.3.0
2026-04-02T23:29:38.106642+00:00	GitLab Importer	Affected by	VCID-a8xd-ukj7-tqbk	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.hadoop/hadoop-main/CVE-2022-25168.yml	38.1.0
2026-04-02T22:40:02.906418+00:00	GitLab Importer	Affected by	VCID-1xbr-pekw-ukcn	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.hadoop/hadoop-main/CVE-2020-9492.yml	38.1.0
2026-04-02T22:21:26.875453+00:00	GitLab Importer	Affected by	VCID-jxf7-btpn-xyax	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.hadoop/hadoop-main/CVE-2018-11768.yml	38.1.0
2026-04-02T22:18:40.405416+00:00	GitLab Importer	Affected by	VCID-6fnh-mjwd-9qee	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.hadoop/hadoop-main/CVE-2018-8029.yml	38.1.0
2026-04-01T17:51:02.482847+00:00	GitLab Importer	Affected by	VCID-a8xd-ukj7-tqbk	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.hadoop/hadoop-main/CVE-2022-25168.yml	38.0.0
2026-04-01T16:57:31.761251+00:00	GitLab Importer	Affected by	VCID-1xbr-pekw-ukcn	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.hadoop/hadoop-main/CVE-2020-9492.yml	38.0.0
2026-04-01T16:39:12.506292+00:00	GitLab Importer	Affected by	VCID-jxf7-btpn-xyax	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.hadoop/hadoop-main/CVE-2018-11768.yml	38.0.0
2026-04-01T16:36:25.885326+00:00	GitLab Importer	Affected by	VCID-6fnh-mjwd-9qee	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.hadoop/hadoop-main/CVE-2018-8029.yml	38.0.0
2026-04-01T15:57:09.826893+00:00	GHSA Importer	Affected by	VCID-p5ab-z4u4-akcv	https://github.com/advisories/GHSA-6x48-j4x4-cqw3	38.0.0
2026-04-01T13:03:47.661405+00:00	GithubOSV Importer	Affected by	VCID-p5ab-z4u4-akcv	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/12/GHSA-6x48-j4x4-cqw3/GHSA-6x48-j4x4-cqw3.json	38.0.0