7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2018-11765

GHSA ID

GHSA-rhh9-cm65-3w54

EPSS Score

0.77534%

CWE

CWE-287

Published

4/30/2021

Updated

2/1/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2018-11765

CVE-2018-11765: Improper Authentication in Apache Hadoop

In Apache Hadoop versions 3.0.0-alpha2 to 3.0.0, 2.9.0 to 2.9.2, 2.8.0 to 2.8.5, any users can access some servlets without authentication when Kerberos authentication is enabled and SPNEGO through HTTP is not enabled.

(GitHub Advisory)

7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2018-11765

GHSA ID

GHSA-rhh9-cm65-3w54

EPSS Score

0.77534%

CWE

CWE-287

Published

4/30/2021

Updated

2/1/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.apache.hadoop:hadoop-main	maven	>= 3.0.0-alpha2, <= 3.0.0	3.0.1
org.apache.hadoop:hadoop-main	maven	>= 2.9.0, <= 2.9.2	2.9.3
org.apache.hadoop:hadoop-main	maven	>= 2.8.0, <= 2.8.5	2.8.6

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from missing authentication checks in Hadoop's web UI components when Kerberos is enabled without SPNEGO. The SecurityFilter class is central to authentication enforcement, and its doFilter() method would appear in stack traces when handling unauthenticated requests. NameNode and ResourceManager HTTP handlers are specifically called out in Hadoop security documentation as components requiring authentication. While exact patch details aren't available, the vulnerability pattern suggests these core authentication-related functions would be involved in processing unauthorized requests. Confidence levels reflect SecurityFilter's direct role in authentication versus component-specific handlers where exact vulnerable endpoints aren't specified in available documentation.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

In *p**** ***oop v*rsions *.*.*-*lp*** to *.*.*, *.*.* to *.*.*, *.*.* to *.*.*, *ny us*rs **n ****ss som* s*rvl*ts wit*out *ut**nti**tion w**n K*r**ros *ut**nti**tion is *n**l** *n* SPN**O t*rou** *TTP is not *n**l**.

Reasoning

T** vuln*r**ility st*ms *rom missin* *ut**nti**tion ****ks in ***oop's w** UI *ompon*nts w**n K*r**ros is *n**l** wit*out SPN**O. T** `S**urity*ilt*r` *l*ss is **ntr*l to *ut**nti**tion *n*or**m*nt, *n* its `*o*ilt*r()` m*t*o* woul* *pp**r in st**k t

7.5

Basic Information

Concerned about an active attack path?

CVE-2018-11765: Improper Authentication in Apache Hadoop

7.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI