{"id":"CVE-2018-1296","details":"In Apache Hadoop 3.0.0-alpha1 to 3.0.0, 2.9.0, 2.8.0 to 2.8.3, and 2.5.0 to 2.7.5, HDFS exposes extended attribute key/value pairs during listXAttrs, verifying only path-level search access to the directory rather than path-level read permission to the referent.","aliases":["GHSA-v569-g72v-q434"],"modified":"2026-04-10T04:05:08.642401Z","published":"2019-02-07T22:29:00.240Z","references":[{"type":"WEB","url":"https://lists.apache.org/thread.html/a5b15bc76fbdad2ee40761aacf954a13aeef67e305f86d483f267e8e%40%3Cuser.hadoop.apache.org%3E"},{"type":"ADVISORY","url":"http://www.securityfocus.com/bid/106764"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/apache/hadoop","events":[{"introduced":"c83ca909ec4008c2880a487be1e6fd3b63dee6be"},{"last_affected":"18065c2b6806ed4aa6a3187d77cbe21bb3dba075"},{"introduced":"0"},{"last_affected":"91f2b7a13d1e97be65db92ddabc627cc29ac0009"},{"introduced":"0"},{"last_affected":"1e6296df38f9cd3d9581c8af58a2a03a6e4312be"},{"introduced":"0"},{"last_affected":"66c47f2a01ad9637879e95f80c41f798373828fb"},{"introduced":"0"},{"last_affected":"b3fe56402d908019d99af1f1f4fc65cb1d1436a2"},{"introduced":"0"},{"last_affected":"756ebc8394e473ac25feac05fa493f6d612e6c50"},{"introduced":"0"},{"last_affected":"c25427ceca461ee979d30edd7a4b0f50718e6533"},{"introduced":"0"},{"last_affected":"a990d2ebcd6de5d7dc2d3684930759b0f0ea4dc3"},{"introduced":"0"},{"last_affected":"1337ef4eef14fbbb214e71b68b7eb07061a4a212"},{"introduced":"0"},{"last_affected":"7c0489beb9fdf12e223a9e57779d3fef765a44d2"},{"introduced":"0"},{"last_affected":"e324cf8a2a6e55e996414ff281fee757f09d8172"},{"introduced":"0"},{"last_affected":"1002c582d86ae8689c497c3d31b73f1ab92d5e29"}],"database_specific":{"versions":[{"introduced":"2.5.0"},{"last_affected":"2.7.5"},{"introduced":"0"},{"last_affected":"2.8.0"},{"introduced":"0"},{"last_affected":"2.8.1"},{"introduced":"0"},{"last_affected":"2.8.2"},{"introduced":"0"},{"last_affected":"2.8.3"},{"introduced":"0"},{"last_affected":"2.9.0"},{"introduced":"0"},{"last_affected":"3.0.0"},{"introduced":"0"},{"last_affected":"3.0.0-alpha1"},{"introduced":"0"},{"last_affected":"3.0.0-alpha2"},{"introduced":"0"},{"last_affected":"3.0.0-alpha3"},{"introduced":"0"},{"last_affected":"3.0.0-alpha4"},{"introduced":"0"},{"last_affected":"3.0.0-beta1"}]}}],"versions":["rel/release-","rel/release-2.7.5","rel/release-2.8.0","rel/release-2.8.1","rel/release-2.8.2","rel/release-2.8.3","rel/release-2.9.0","rel/release-3.0.0","rel/release-3.0.0-alpha1","rel/release-3.0.0-alpha2","rel/release-3.0.0-alpha3","rel/release-3.0.0-alpha4","rel/release-3.0.0-beta1","release-2.7.5-RC0","release-2.7.5-RC1","release-2.8.0-RC0","release-2.8.0-RC1","release-2.8.0-RC2","release-2.8.0-RC3","release-2.8.2-RC0","release-2.8.2-RC1","release-2.8.3-RC0","release-2.9.0-RC0","release-2.9.0-RC1","release-2.9.0-RC2","release-2.9.0-RC3","release-3.0.0-RC0","release-3.0.0-RC1","release-3.0.0-alpha1-RC0","release-3.0.0-alpha2-RC0","release-3.0.0-alpha4-RC0","release-3.0.0-beta1-RC0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-1296.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}]}