Unauthenticated Access to Servlets in Apache Hadoop with Kerberos Authentication Enabled

Unauthenticated Access to Servlets in Apache Hadoop with Kerberos Authentication Enabled

CVE-2018-11765 · HIGH Severity

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

In Apache Hadoop versions 3.0.0-alpha2 to 3.0.0, 2.9.0 to 2.9.2, 2.8.0 to 2.8.5, any users can access some servlets without authentication when Kerberos authentication is enabled and SPNEGO through HTTP is not enabled.

Learn more about our Cis Benchmark Audit For Apache Http Server.