{"containers": {"cna": {"affected": [{"product": "Apache Hadoop", "vendor": "Apache Software Foundation", "versions": [{"status": "affected", "version": "2.9.0 to 2.10.1"}, {"status": "affected", "version": "3.0.0 to 3.1.4"}, {"status": "affected", "version": " 3.2.0 to 3.2.2"}, {"status": "affected", "version": "3.3.0 to 3.3.1"}]}], "credits": [{"lang": "en", "value": "This issue was discovered by Igor Chervatyuk."}], "descriptions": [{"lang": "en", "value": "There is a potential heap buffer overflow in Apache Hadoop libhdfs native code. Opening a file path provided by user without validation may result in a denial of service or arbitrary code execution. Users should upgrade to Apache Hadoop 2.10.2, 3.2.3, 3.3.2 or higher."}], "metrics": [{"other": {"content": {"other": "important"}, "type": "unknown"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-787", "description": "CWE-787 Out-of-bounds Write", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2023-06-27T14:00:41.693Z"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://lists.apache.org/thread/2h56ztcj3ojc66qzf1nno88vjw9vd4wo"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://security.netapp.com/advisory/ntap-20220715-0007/"}], "source": {"discovery": "UNKNOWN"}, "title": "Heap buffer overflow in libhdfs native library", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@apache.org", "ID": "CVE-2021-37404", "STATE": "PUBLIC", "TITLE": "Heap buffer overflow in libhdfs native library"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Apache Hadoop", "version": {"version_data": [{"version_value": "2.9.0 to 2.10.1"}, {"version_value": "3.0.0 to 3.1.4"}, {"version_value": " 3.2.0 to 3.2.2"}, {"version_value": "3.3.0 to 3.3.1"}]}}]}, "vendor_name": "Apache Software Foundation"}]}}, "credit": [{"lang": "eng", "value": "This issue was discovered by Igor Chervatyuk."}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "There is a potential heap buffer overflow in Apache Hadoop libhdfs native code. Opening a file path provided by user without validation may result in a denial of service or arbitrary code execution. Users should upgrade to Apache Hadoop 2.10.2, 3.2.3, 3.3.2 or higher."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": [{"other": "important"}], "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-787 Out-of-bounds Write"}]}]}, "references": {"reference_data": [{"name": "https://lists.apache.org/thread/2h56ztcj3ojc66qzf1nno88vjw9vd4wo", "refsource": "MISC", "url": "https://lists.apache.org/thread/2h56ztcj3ojc66qzf1nno88vjw9vd4wo"}, {"name": "https://security.netapp.com/advisory/ntap-20220715-0007/", "refsource": "CONFIRM", "url": "https://security.netapp.com/advisory/ntap-20220715-0007/"}]}, "source": {"discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T01:16:03.989Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://lists.apache.org/thread/2h56ztcj3ojc66qzf1nno88vjw9vd4wo"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://security.netapp.com/advisory/ntap-20220715-0007/"}]}]}, "cveMetadata": {"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "cveId": "CVE-2021-37404", "datePublished": "2022-06-13T07:00:16", "dateReserved": "2021-07-23T00:00:00", "dateUpdated": "2024-08-04T01:16:03.989Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:hadoop:*:*:*:*:*:*:*:*", "matchCriteriaId": "3A6A3293-6E60-4350-8917-DA91C6AE2A72", "versionEndExcluding": "2.10.2", "versionStartIncluding": "2.9.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:hadoop:*:*:*:*:*:*:*:*", "matchCriteriaId": "2C8009A5-2D0F-4C53-B48F-CBABD0768023", "versionEndIncluding": "3.1.4", "versionStartIncluding": "3.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:hadoop:*:*:*:*:*:*:*:*", "matchCriteriaId": "0375CDA1-7838-4D72-BEB1-406BEC56BC91", "versionEndExcluding": "3.2.3", "versionStartIncluding": "3.2.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:hadoop:*:*:*:*:*:*:*:*", "matchCriteriaId": "95BECC24-F7DC-4052-9B82-5B78005C3210", "versionEndExcluding": "3.3.2", "versionStartIncluding": "3.3.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "There is a potential heap buffer overflow in Apache Hadoop libhdfs native code. Opening a file path provided by user without validation may result in a denial of service or arbitrary code execution. Users should upgrade to Apache Hadoop 2.10.2, 3.2.3, 3.3.2 or higher."}, {"lang": "es", "value": "Se presenta un potencial desbordamiento del b\u00fafer de la pila en el c\u00f3digo nativo de Apache Hadoop libhdfs. La apertura de una ruta de archivo proporcionada por el usuario sin que sea comprobada puede resultar en una denegaci\u00f3n de servicio o una ejecuci\u00f3n de c\u00f3digo arbitrario. Los usuarios deben actualizar a Apache Hadoop versiones 2.10.2, 3.2.3, 3.3.2 o superiores"}], "id": "CVE-2021-37404", "lastModified": "2023-06-27T15:15:09.823", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-06-13T07:15:08.327", "references": [{"source": "security@apache.org", "tags": ["Mailing List"], "url": "https://lists.apache.org/thread/2h56ztcj3ojc66qzf1nno88vjw9vd4wo"}, {"source": "security@apache.org", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20220715-0007/"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-787"}], "source": "security@apache.org", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-787"}], "source": "nvd@nist.gov", "type": "Secondary"}]}

{"bugzilla": {"description": "hadoop-hdfs: Heap buffer overflow in Apache Hadoop libhdfs", "id": "2097421", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2097421"}, "csaw": false, "cvss3": {"cvss3_base_score": "9.8", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-131", "details": ["There is a potential heap buffer overflow in Apache Hadoop libhdfs native code. Opening a file path provided by user without validation may result in a denial of service or arbitrary code execution. Users should upgrade to Apache Hadoop 2.10.2, 3.2.3, 3.3.2 or higher.", "A flaw was found in Apache Hadoop. Opening a file path provided by a user without validation may result in a denial of service or arbitrary code execution."], "name": "CVE-2021-37404", "package_state": [{"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Not affected", "package_name": "hadoop-hdfs", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:jboss_fuse:6", "fix_state": "Out of support scope", "package_name": "hadoop-hdfs", "product_name": "Red Hat JBoss Fuse 6"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "package_name": "hadoop-container", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "package_name": "openshift4/ose-metering-hive", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "package_name": "openshift4/ose-metering-presto", "product_name": "Red Hat OpenShift Container Platform 4"}], "public_date": "2022-06-13T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2021-37404\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-37404"], "statement": "This package is a transitive dependency and is not used directly in the Red Hat products. Hence, it is categorized as a Moderate impact.", "threat_severity": "Moderate", "upstream_fix": "Apache Hadoop 2.10.2, Apache Hadoop 3.2.3, Apache Hadoop 3.3.2"}