What is CVE-2016-3086?

CVE-2016-3086 is a critical-severity vulnerability in Apache Hadoop, classified under Information Disclosure. CVSS score: 9.8/10. Published 2017-09-05.

How severe is CVE-2016-3086?

Critical severity. CVSS v3 base score is 9.8 out of 10.

Information disclosure in Apache Hadoop

CVE-2016-3086

The YARN NodeManager in Apache Hadoop 2.6.x before 2.6.5 and 2.7.x before 2.7.3 can leak the password for credential store provider used by the NodeManager to YARN Applications.

Vulnerability class: Information Disclosure

EPSS: 0.036 (88.0th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 9.8 (Critical). Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.

Affected products

Apache Hadoop — versions 2.6.0, 2.6.1, 2.6.2
Apache Software Foundation Hadoop — versions 2.7.0 to 2.7.2, 2.6.0 to 2.6.4

Weakness classification (CWE)

CWE-200 — Information Disclosure

References

security@apache.org (VDB Entry, Third Party Advisory, vdb-entry, x_refsource_BID)
security@apache.org (Vendor Advisory, mailing-list, x_refsource_MLIST, Mailing List, Mitigation)

Frequently asked questions

What is CVE-2016-3086?: CVE-2016-3086 is a critical-severity vulnerability in Apache Hadoop, classified under Information Disclosure. CVSS score: 9.8/10. Published 2017-09-05.
How severe is CVE-2016-3086?: Critical severity. CVSS v3 base score is 9.8 out of 10.