This is an information disclosure vulnerability in Apache Hadoop before 2.6.4 and 2.7.x before 2.7.2 in the short-circuit reads feature of HDFS. A local user on an HDFS DataNode may be able to craft a block token that grants unauthorized read access to random files by guessing certain fields in the token.

Affected Packages

Maven org.apache.hadoop:hadoop-common

Affected versions: 0 (fixed in 2.6.4)

Maven org.apache.hadoop:hadoop-common

Affected versions: 2.7.0 (fixed in 2.7.2)

Related CVEs

CVE-2016-5001

Key Information

GHSA ID

GHSA-8r28-r8cp-g6cp

Published

May 13, 2022 1:08 AM

Last Modified

July 6, 2022 7:43 PM

CVSS Score

5.0 /10

Primary Ecosystem

Maven

Primary Package

org.apache.hadoop:hadoop-common

GitHub Reviewed

✓ Yes

Dataset

Last updated: July 28, 2025 6:37 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.