CVE-2014-3627: Improper Link Resolution Before File Access ('Link Following')

May 17, 2022 (updated July 7, 2022)

The YARN NodeManager daemon in Apache Hadoop 0.23.0 through 0.23.11 and 2.x before 2.5.2, when using Kerberos authentication, allows remote cluster users to change the permissions of certain files to world-readable via a symlink attack in a public tar archive, which is not properly handled during localization, related to distributed cache.

References

mail-archives.apache.org/mod_mbox/hadoop-general/201411.mbox/%3CCALwhT97dOi04aC3VbekaB+zn2UAS_OZV2EAiP78GmjnMzfp2Ug@mail.gmail.com%3E
github.com/advisories/GHSA-jpmf-8cj2-595g
nvd.nist.gov/vuln/detail/CVE-2014-3627

Code Behaviors & Features

Detect and mitigate CVE-2014-3627 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →