CVE-2021-37404

There is a potential heap buffer overflow in Apache Hadoop libhdfs native code. Opening a file path provided by user without validation may result in a denial of service or arbitrary code execution. Users should upgrade to Apache Hadoop 2.10.2, 3.2.3, 3.3.2 or higher.

CVSS v3 9.8 CRITICAL
CVSS v2.0 7.5 HIGH

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

7.5^/10

CVSS v2.0 : HIGH

Vector : AV:N/AC:L/Au:N/C:P/I:P/A:P

Exploitability : 10.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://lists.apache.org/thread/2h56ztcj3ojc66qzf1nno88vjw9vd4wo	Mailing List
https://security.netapp.com/advisory/ntap-20220715-0007/	Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:apache:hadoop::::::::
	cpe:2.3:a:apache:hadoop::::::::
	cpe:2.3:a:apache:hadoop::::::::
	cpe:2.3:a:apache:hadoop::::::::

History

26 Jun 2023, 17:58

Type	Values Removed	Values Added
CWE	~~CWE-120~~	CWE-787

27 Oct 2022, 16:15

Type	Values Removed	Values Added
References	~~(CONFIRM) https://security.netapp.com/advisory/ntap-20220715-0007/ -~~	(CONFIRM) https://security.netapp.com/advisory/ntap-20220715-0007/ - Third Party Advisory

15 Jul 2022, 16:15

Type	Values Removed	Values Added
References		(CONFIRM) https://security.netapp.com/advisory/ntap-20220715-0007/ -

22 Jun 2022, 12:49

Type	Values Removed	Values Added
CWE		CWE-120
CPE		cpe:2.3:a:apache:hadoop::::::::
References	~~(CONFIRM) https://lists.apache.org/thread/2h56ztcj3ojc66qzf1nno88vjw9vd4wo -~~	(CONFIRM) https://lists.apache.org/thread/2h56ztcj3ojc66qzf1nno88vjw9vd4wo - Mailing List, Vendor Advisory
First Time		Apache Apache hadoop
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : 7.5 v3 : 9.8

13 Jun 2022, 09:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2022-06-13 07:15

Updated : 2023-12-10 14:22

NVD link : CVE-2021-37404

Mitre link : CVE-2021-37404

CVE.ORG link : CVE-2021-37404

JSON object : View

Products Affected

apache

hadoop

CWE

CWE-787

Out-of-bounds Write

{"id": "CVE-2021-37404", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 7.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2022-06-13T07:15:08.327", "references": [{"url": "https://lists.apache.org/thread/2h56ztcj3ojc66qzf1nno88vjw9vd4wo", "tags": ["Mailing List"], "source": "security@apache.org"}, {"url": "https://security.netapp.com/advisory/ntap-20220715-0007/", "tags": ["Third Party Advisory"], "source": "security@apache.org"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "security@apache.org", "description": [{"lang": "en", "value": "CWE-787"}]}, {"type": "Secondary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-787"}]}], "descriptions": [{"lang": "en", "value": "There is a potential heap buffer overflow in Apache Hadoop libhdfs native code. Opening a file path provided by user without validation may result in a denial of service or arbitrary code execution. Users should upgrade to Apache Hadoop 2.10.2, 3.2.3, 3.3.2 or higher."}, {"lang": "es", "value": "Se presenta un potencial desbordamiento del b\u00fafer de la pila en el c\u00f3digo nativo de Apache Hadoop libhdfs. La apertura de una ruta de archivo proporcionada por el usuario sin que sea comprobada puede resultar en una denegaci\u00f3n de servicio o una ejecuci\u00f3n de c\u00f3digo arbitrario. Los usuarios deben actualizar a Apache Hadoop versiones 2.10.2, 3.2.3, 3.3.2 o superiores"}], "lastModified": "2023-06-27T15:15:09.823", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:apache:hadoop:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3A6A3293-6E60-4350-8917-DA91C6AE2A72", "versionEndExcluding": "2.10.2", "versionStartIncluding": "2.9.0"}, {"criteria": "cpe:2.3:a:apache:hadoop:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2C8009A5-2D0F-4C53-B48F-CBABD0768023", "versionEndIncluding": "3.1.4", "versionStartIncluding": "3.0.0"}, {"criteria": "cpe:2.3:a:apache:hadoop:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0375CDA1-7838-4D72-BEB1-406BEC56BC91", "versionEndExcluding": "3.2.3", "versionStartIncluding": "3.2.0"}, {"criteria": "cpe:2.3:a:apache:hadoop:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "95BECC24-F7DC-4052-9B82-5B78005C3210", "versionEndExcluding": "3.3.2", "versionStartIncluding": "3.3.0"}], "operator": "OR"}]}], "sourceIdentifier": "security@apache.org"}