CVE-2015-1776: Exposure of Sensitive Information to an Unauthorized Actor in Apache Hadoop
6.2
CVSS Score
3.0
Basic Information
CVE ID
GHSA ID
EPSS Score
0.20619%
CWE
Published
5/17/2022
Updated
1/27/2023
KEV Status
No
Technology
Java
Technical Details
CVSS Vector
CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
org.apache.hadoop:hadoop-common | maven | >= 2.6.0, <= 2.6.4 | 2.6.5 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from encryption keys being stored in credentials files on disk. The identified functions are core components of Hadoop's credential management system:
- addSecretKey() directly handles encryption key storage in credentials
- writeConf() and writeTokenStorageFile() handle persistence of credentials to disk These would appear in stack traces during job submission and credential serialization when intermediate data encryption is enabled. The functions are clearly implicated by the vulnerability description of sensitive data being stored in credentials files.