Description
Apache Hadoop 0.23.x before 0.23.11 and 2.x before 2.4.1, as used in Cloudera CDH 5.0.x before 5.0.2, do not check authorization for the (1) refreshNamenodes, (2) deleteBlockPool, and (3) shutdownDatanode HDFS admin commands, which allows remote authenticated users to cause a denial of service (DataNodes shutdown) or perform unnecessary operations by issuing a command.
Remediation
References
https://www.cloudera.com/documentation/other/security-bulletins/topics/csb_topic_1.html#concept_i1q_xvk_2r
Related Vulnerabilities
CVE-2022-24785 Vulnerability in npm package moment
CVE-2015-5317 Vulnerability in maven package org.jenkins-ci.main:jenkins-core
CVE-2019-0233 Vulnerability in maven package org.apache.struts:struts2-core
CVE-2023-29215 Vulnerability in maven package org.apache.linkis:linkis-engineplugin-jdbc
CVE-2018-1328 Vulnerability in maven package org.apache.zeppelin:zeppelin