Description
Apache Hadoop 0.23.x before 0.23.11 and 2.x before 2.4.1, as used in Cloudera CDH 5.0.x before 5.0.2, do not check authorization for the (1) refreshNamenodes, (2) deleteBlockPool, and (3) shutdownDatanode HDFS admin commands, which allows remote authenticated users to cause a denial of service (DataNodes shutdown) or perform unnecessary operations by issuing a command.
Remediation
References
https://www.cloudera.com/documentation/other/security-bulletins/topics/csb_topic_1.html#concept_i1q_xvk_2r
Related Vulnerabilities
CVE-2022-25168 Vulnerability in maven package org.apache.hadoop:hadoop-common
CVE-2020-2229 Vulnerability in maven package org.jenkins-ci.main:jenkins-core
CVE-2023-4303 Vulnerability in maven package org.jenkins-ci.plugins:fortify
CVE-2022-45787 Vulnerability in maven package org.apache.james:apache-mime4j-storage
CVE-2016-4465 Vulnerability in maven package org.apache.struts:struts2-core