CVE-2021-37404

There is a potential heap buffer overflow in Apache Hadoop libhdfs native code. Opening a file path provided by user without validation may result in a denial of service or arbitrary code execution. Users should upgrade to Apache Hadoop 2.10.2, 3.2.3, 3.3.2 or higher.

Published: Jun 13, 2022
Updated: Jun 27, 2023
CVE: CVE-2021-37404
GHSA: GHSA-rmpj-7c96-mrg8
Severity: Critical
Exploit:

CVSS v3:

Severity: Critical
Score: 9.8
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v2:

Severity: High
Score: 7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P

CWEs:

CWE-120
CWE-787
CWE-131

Affected Software
References

Software	From	Fixed in
apache / hadoop	3.3.0	3.3.2
apache / hadoop	3.2.0	3.2.3
apache / hadoop	3.0.0	3.1.4.x
apache / hadoop	2.9.0	2.10.2
org.apache.hadoop / hadoop-common	3.3.0	3.3.2
org.apache.hadoop / hadoop-common	3.0.0	3.2.3
org.apache.hadoop / hadoop-common	-	2.10.2

https://lists.apache.org/thread/2h56ztcj3ojc66qzf1nno88vjw9vd4wo
https://security.netapp.com/advisory/ntap-20220715-0007/

Vulnerability Database

289,599

CVE-2021-37404