Search for vulnerabilities
Vulnerability details: VCID-yn3b-vn6g-aaaq
Vulnerability ID VCID-yn3b-vn6g-aaaq
Aliases CVE-2023-26031
GHSA-94jh-j374-9r3j
Summary hadoop-yarn-server-nodemanager: Untrusted search path may lead to privilege escalation via container-executor suid binary
Status Published
Exploitability 0.5
Weighted Severity 8.0
Risk 4.0
Affected and Fixed Packages Package Details
Weaknesses (4)
CWE-426 Untrusted Search Path
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
System Score Found at
cvssv3 7.5 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-26031.json
epss 0.00060 https://api.first.org/data/v1/epss?cve=CVE-2023-26031
epss 0.00060 https://api.first.org/data/v1/epss?cve=CVE-2023-26031
epss 0.00060 https://api.first.org/data/v1/epss?cve=CVE-2023-26031
epss 0.00060 https://api.first.org/data/v1/epss?cve=CVE-2023-26031
epss 0.00060 https://api.first.org/data/v1/epss?cve=CVE-2023-26031
epss 0.00060 https://api.first.org/data/v1/epss?cve=CVE-2023-26031
epss 0.00060 https://api.first.org/data/v1/epss?cve=CVE-2023-26031
epss 0.00060 https://api.first.org/data/v1/epss?cve=CVE-2023-26031
epss 0.00062 https://api.first.org/data/v1/epss?cve=CVE-2023-26031
epss 0.00062 https://api.first.org/data/v1/epss?cve=CVE-2023-26031
epss 0.00062 https://api.first.org/data/v1/epss?cve=CVE-2023-26031
epss 0.00062 https://api.first.org/data/v1/epss?cve=CVE-2023-26031
epss 0.00071 https://api.first.org/data/v1/epss?cve=CVE-2023-26031
epss 0.00071 https://api.first.org/data/v1/epss?cve=CVE-2023-26031
epss 0.00071 https://api.first.org/data/v1/epss?cve=CVE-2023-26031
epss 0.00071 https://api.first.org/data/v1/epss?cve=CVE-2023-26031
epss 0.05595 https://api.first.org/data/v1/epss?cve=CVE-2023-26031
epss 0.05595 https://api.first.org/data/v1/epss?cve=CVE-2023-26031
epss 0.05595 https://api.first.org/data/v1/epss?cve=CVE-2023-26031
epss 0.05595 https://api.first.org/data/v1/epss?cve=CVE-2023-26031
epss 0.05595 https://api.first.org/data/v1/epss?cve=CVE-2023-26031
epss 0.05595 https://api.first.org/data/v1/epss?cve=CVE-2023-26031
epss 0.05595 https://api.first.org/data/v1/epss?cve=CVE-2023-26031
epss 0.05595 https://api.first.org/data/v1/epss?cve=CVE-2023-26031
epss 0.05595 https://api.first.org/data/v1/epss?cve=CVE-2023-26031
epss 0.05595 https://api.first.org/data/v1/epss?cve=CVE-2023-26031
epss 0.05595 https://api.first.org/data/v1/epss?cve=CVE-2023-26031
epss 0.05595 https://api.first.org/data/v1/epss?cve=CVE-2023-26031
epss 0.05595 https://api.first.org/data/v1/epss?cve=CVE-2023-26031
epss 0.05595 https://api.first.org/data/v1/epss?cve=CVE-2023-26031
epss 0.12431 https://api.first.org/data/v1/epss?cve=CVE-2023-26031
epss 0.12692 https://api.first.org/data/v1/epss?cve=CVE-2023-26031
epss 0.12692 https://api.first.org/data/v1/epss?cve=CVE-2023-26031
epss 0.12692 https://api.first.org/data/v1/epss?cve=CVE-2023-26031
epss 0.12692 https://api.first.org/data/v1/epss?cve=CVE-2023-26031
epss 0.12692 https://api.first.org/data/v1/epss?cve=CVE-2023-26031
epss 0.12692 https://api.first.org/data/v1/epss?cve=CVE-2023-26031
epss 0.12692 https://api.first.org/data/v1/epss?cve=CVE-2023-26031
epss 0.12692 https://api.first.org/data/v1/epss?cve=CVE-2023-26031
epss 0.12692 https://api.first.org/data/v1/epss?cve=CVE-2023-26031
epss 0.12692 https://api.first.org/data/v1/epss?cve=CVE-2023-26031
epss 0.12692 https://api.first.org/data/v1/epss?cve=CVE-2023-26031
epss 0.12692 https://api.first.org/data/v1/epss?cve=CVE-2023-26031
epss 0.12692 https://api.first.org/data/v1/epss?cve=CVE-2023-26031
epss 0.12692 https://api.first.org/data/v1/epss?cve=CVE-2023-26031
epss 0.12692 https://api.first.org/data/v1/epss?cve=CVE-2023-26031
epss 0.12692 https://api.first.org/data/v1/epss?cve=CVE-2023-26031
epss 0.12692 https://api.first.org/data/v1/epss?cve=CVE-2023-26031
epss 0.12692 https://api.first.org/data/v1/epss?cve=CVE-2023-26031
epss 0.12692 https://api.first.org/data/v1/epss?cve=CVE-2023-26031
epss 0.12692 https://api.first.org/data/v1/epss?cve=CVE-2023-26031
epss 0.12692 https://api.first.org/data/v1/epss?cve=CVE-2023-26031
epss 0.12692 https://api.first.org/data/v1/epss?cve=CVE-2023-26031
epss 0.12692 https://api.first.org/data/v1/epss?cve=CVE-2023-26031
epss 0.12692 https://api.first.org/data/v1/epss?cve=CVE-2023-26031
epss 0.12692 https://api.first.org/data/v1/epss?cve=CVE-2023-26031
epss 0.12692 https://api.first.org/data/v1/epss?cve=CVE-2023-26031
epss 0.12692 https://api.first.org/data/v1/epss?cve=CVE-2023-26031
epss 0.12692 https://api.first.org/data/v1/epss?cve=CVE-2023-26031
epss 0.12692 https://api.first.org/data/v1/epss?cve=CVE-2023-26031
epss 0.12692 https://api.first.org/data/v1/epss?cve=CVE-2023-26031
epss 0.12692 https://api.first.org/data/v1/epss?cve=CVE-2023-26031
epss 0.12692 https://api.first.org/data/v1/epss?cve=CVE-2023-26031
epss 0.12692 https://api.first.org/data/v1/epss?cve=CVE-2023-26031
epss 0.12692 https://api.first.org/data/v1/epss?cve=CVE-2023-26031
epss 0.12692 https://api.first.org/data/v1/epss?cve=CVE-2023-26031
epss 0.12692 https://api.first.org/data/v1/epss?cve=CVE-2023-26031
epss 0.12692 https://api.first.org/data/v1/epss?cve=CVE-2023-26031
epss 0.12692 https://api.first.org/data/v1/epss?cve=CVE-2023-26031
epss 0.12692 https://api.first.org/data/v1/epss?cve=CVE-2023-26031
epss 0.12692 https://api.first.org/data/v1/epss?cve=CVE-2023-26031
epss 0.12692 https://api.first.org/data/v1/epss?cve=CVE-2023-26031
epss 0.12692 https://api.first.org/data/v1/epss?cve=CVE-2023-26031
epss 0.12692 https://api.first.org/data/v1/epss?cve=CVE-2023-26031
epss 0.12692 https://api.first.org/data/v1/epss?cve=CVE-2023-26031
cvssv3.1_qr HIGH https://github.com/advisories/GHSA-94jh-j374-9r3j
cvssv3.1 3.3 https://github.com/apache/hadoop
generic_textual LOW https://github.com/apache/hadoop
cvssv3.1 7.5 https://github.com/apache/hadoop/commit/10e7ca481c8cd0548d903d39d8581291e533bf12
generic_textual HIGH https://github.com/apache/hadoop/commit/10e7ca481c8cd0548d903d39d8581291e533bf12
cvssv3.1 7.5 https://github.com/apache/hadoop/commit/7d3c8ef6064efd132828765e52e961977aebbf47
generic_textual HIGH https://github.com/apache/hadoop/commit/7d3c8ef6064efd132828765e52e961977aebbf47
cvssv3.1 7.5 https://hadoop.apache.org/cve_list.html
generic_textual HIGH https://hadoop.apache.org/cve_list.html
cvssv3.1 7.5 https://issues.apache.org/jira/browse/YARN-11441
generic_textual HIGH https://issues.apache.org/jira/browse/YARN-11441
cvssv3.1 7.5 https://lists.apache.org/thread/q9qpdlv952gb4kphpndd5phvl7fkh71r
generic_textual HIGH https://lists.apache.org/thread/q9qpdlv952gb4kphpndd5phvl7fkh71r
cvssv3 7.5 https://nvd.nist.gov/vuln/detail/CVE-2023-26031
cvssv3.1 7.5 https://nvd.nist.gov/vuln/detail/CVE-2023-26031
cvssv3.1 7.5 https://security.netapp.com/advisory/ntap-20240112-0001
generic_textual HIGH https://security.netapp.com/advisory/ntap-20240112-0001
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-26031.json
https://api.first.org/data/v1/epss?cve=CVE-2023-26031
https://github.com/apache/hadoop
https://github.com/apache/hadoop/commit/10e7ca481c8cd0548d903d39d8581291e533bf12
https://github.com/apache/hadoop/commit/7d3c8ef6064efd132828765e52e961977aebbf47
https://hadoop.apache.org/cve_list.html
https://issues.apache.org/jira/browse/YARN-11441
https://lists.apache.org/thread/q9qpdlv952gb4kphpndd5phvl7fkh71r
https://security.netapp.com/advisory/ntap-20240112-0001
https://security.netapp.com/advisory/ntap-20240112-0001/
2250137 https://bugzilla.redhat.com/show_bug.cgi?id=2250137
cpe:2.3:a:apache:hadoop:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:hadoop:*:*:*:*:*:*:*:*
CVE-2023-26031 https://nvd.nist.gov/vuln/detail/CVE-2023-26031
GHSA-94jh-j374-9r3j https://github.com/advisories/GHSA-94jh-j374-9r3j
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-26031.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N Found at https://github.com/apache/hadoop
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/apache/hadoop/commit/10e7ca481c8cd0548d903d39d8581291e533bf12
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/apache/hadoop/commit/7d3c8ef6064efd132828765e52e961977aebbf47
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://hadoop.apache.org/cve_list.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://issues.apache.org/jira/browse/YARN-11441
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://lists.apache.org/thread/q9qpdlv952gb4kphpndd5phvl7fkh71r
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2023-26031
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2023-26031
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://security.netapp.com/advisory/ntap-20240112-0001
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.27242
EPSS Score 0.00060
Published At Nov. 23, 2024, midnight
Date Actor Action Source VulnerableCode Version
There are no relevant records.