Miggo Logo
Miggo Vulnerability Database
CVE-2017-15718

CVE-2017-15718: Exposure of Sensitive Information in Hadoop

9.8

CVSS Score
3.0

Basic Information

CVE ID
CVE-2017-15718
GHSA ID
GHSA-mq8p-h798-xcrp
EPSS Score
0.76468%
CWE
CWE-200
Published
12/21/2018
Updated
1/9/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.apache.hadoop:hadoop-mainmaven>= 2.7.3, <= 2.7.42.7.5

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from the NodeManager exposing its credential store provider password through configuration or environment variables accessible to YARN applications. Based on Hadoop architecture patterns:

  1. NodeManager configuration exposure through getConfig() or similar methods would directly leak credentials
  2. ContainerManagerImpl's container startup sequence would be responsible for constructing execution environments containing sensitive values While the exact patch details are unavailable, these functions represent the most likely candidates based on:
  • The vulnerability pattern (sensitive data exposure via environment)
  • Hadoop's architecture (configuration passing to containers)
  • Critical nature of the exposure (requires direct data flow from NM to applications) Confidence is medium due to reliance on architectural patterns rather than direct patch analysis.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** Y*RN No**M*n***r in *p**** ***oop *.*.* *n* *.*.* **n l**k t** p*sswor* *or *r***nti*l stor* provi**r us** *y t** No**M*n***r to Y*RN *ppli**tions.

Reasoning

T** vuln*r**ility st*ms *rom t** No**M*n***r *xposin* its *r***nti*l stor* provi**r p*sswor* t*rou** *on*i*ur*tion or *nvironm*nt v*ri**l*s ****ssi*l* to Y*RN *ppli**tions. **s** on ***oop *r**it**tur* p*tt*rns: *. No**M*n***r *on*i*ur*tion *xposur*