In Apache Hadoop 3.0.0-alpha1 to 3.0.0, 2.9.0, 2.8.0 to 2.8.3, and 2.5.0 to 2.7.5, HDFS exposes extended attribute key/value pairs during listXAttrs, verifying only path-level search access to the directory rather than path-level read permission to the referent.

Affected Packages

Maven org.apache.hadoop:hadoop-main

Affected versions: 0 (fixed in 2.7.6)

Maven org.apache.hadoop:hadoop-main

Affected versions: 2.8.0 (fixed in 2.8.4)

Maven org.apache.hadoop:hadoop-main

Affected versions: 2.9.0 (fixed in 2.9.1)

Related CVEs

CVE-2018-1296

Key Information

GHSA ID

GHSA-v569-g72v-q434

Published

February 12, 2019 5:26 PM

Last Modified

September 14, 2022 10:43 PM

CVSS Score

7.5 /10

Primary Ecosystem

Maven

Primary Package

org.apache.hadoop:hadoop-main

GitHub Reviewed

✓ Yes

Dataset

Last updated: July 28, 2025 6:37 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.