vulnerability
Apache Hadoop YARN ResourceManager REST API Arbitrary Command Execution
Severity | CVSS | Published | Added | Modified |
---|---|---|---|---|
10 | (AV:N/AC:L/Au:N/C:C/I:C/A:C) | Oct 19, 2016 | Nov 17, 2020 | Feb 18, 2025 |
Severity
10
CVSS
(AV:N/AC:L/Au:N/C:C/I:C/A:C)
Published
Oct 19, 2016
Added
Nov 17, 2020
Modified
Feb 18, 2025
Description
Access to Apache Hadoop YARN's ResourceManager REST API could lead to arbitrary command execution. By default, Hadoop HTTP web-consoles (ResourceManager, NameNode, NodeManagers, and DataNodes) allow access without any form of authentication.
Solution
http-hadoop-yarn-resourcemanager
References
- URL-http://archive.hack.lu/2016/Wavestone%20-%20Hack.lu%202016%20-%20Hadoop%20safari%20-%20Hunting%20for%20vulnerabilities%20-%20v1.0.pdf
- URL-https://github.com/vulhub/vulhub/tree/master/hadoop/unauthorized-yarn
- URL-https://hadoop.apache.org/docs/current/hadoop-yarn/hadoop-yarn-site/ResourceManagerRest.html

NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.