{"id":"CVE-2021-33036","details":"In Apache Hadoop 2.2.0 to 2.10.1, 3.0.0-alpha1 to 3.1.4, 3.2.0 to 3.2.2, and 3.3.0 to 3.3.1, a user who can escalate to yarn user can possibly run arbitrary commands as root user. Users should upgrade to Apache Hadoop 2.10.2, 3.2.3, 3.3.2 or higher.","aliases":["GHSA-58jx-f5rf-qgqf"],"modified":"2026-04-11T17:25:56.604012Z","published":"2022-06-15T15:15:07.973Z","references":[{"type":"ADVISORY","url":"http://www.openwall.com/lists/oss-security/2022/06/15/2"},{"type":"ADVISORY","url":"https://lists.apache.org/thread/ctr84rmo3xd2tzqcx2b277c8z692vhl5"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20220722-0003/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/apache/hadoop","events":[{"introduced":"c40e9eb30aa4bf8f3c3eb7c139a06c665417b8c6"},{"fixed":"965fd380006fa78b2315668fbc7eb432e1d8200f"},{"introduced":"496dc57cc2e4f4da117f7a8e3840aaeac0c1d2d0"},{"fixed":"abe5358143720085498613d399be3bbf01e0f131"},{"introduced":"aa96f1871bfd858f9bac59cf2a81ec470da649af"},{"fixed":"0bcb014209e219273cb6fd4152df7df713cbac61"},{"introduced":"0"},{"last_affected":"a990d2ebcd6de5d7dc2d3684930759b0f0ea4dc3"},{"introduced":"0"},{"last_affected":"1337ef4eef14fbbb214e71b68b7eb07061a4a212"},{"introduced":"0"},{"last_affected":"7c0489beb9fdf12e223a9e57779d3fef765a44d2"},{"introduced":"0"},{"last_affected":"e324cf8a2a6e55e996414ff281fee757f09d8172"}],"database_specific":{"versions":[{"introduced":"2.2.0"},{"fixed":"2.10.2"},{"introduced":"3.0.1"},{"fixed":"3.2.3"},{"introduced":"3.3.0"},{"fixed":"3.3.2"},{"introduced":"0"},{"last_affected":"3.0.0-alpha1"},{"introduced":"0"},{"last_affected":"3.0.0-alpha2"},{"introduced":"0"},{"last_affected":"3.0.0-alpha3"},{"introduced":"0"},{"last_affected":"3.0.0-alpha4"}]}}],"versions":["rel/release-3.0.0-alpha1","rel/release-3.0.0-alpha2","rel/release-3.0.0-alpha3","rel/release-3.0.0-alpha4","release-3.0.0-alpha1-RC0","release-3.0.0-alpha2-RC0","release-3.0.0-alpha4-RC0","release-3.2.3-RC0","release-3.3.2-RC0","release-3.3.2-RC1","release-3.3.2-RC2","release-3.3.2-RC3","remove-ozone"],"database_specific":{"vanir_signatures_modified":"2026-04-11T17:25:56Z","vanir_signatures":[{"target":{"file":"hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/conf/Configuration.java","function":"getTimeDurationHelper"},"signature_type":"Function","digest":{"length":705,"function_hash":"172508901140850166315077168976677568660"},"deprecated":false,"signature_version":"v1","id":"CVE-2021-33036-cf0079d5","source":"https://github.com/apache/hadoop/commit/abe5358143720085498613d399be3bbf01e0f131"},{"target":{"file":"hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/conf/Configuration.java"},"signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["117241420199337029436298470313516342337","10911464053357943410825609861845695837","240437666491262468440316638114074933731","226622566833744400926285549106341911654","249375286985992668764075164756526076674"]},"deprecated":false,"signature_version":"v1","id":"CVE-2021-33036-f2b0819d","source":"https://github.com/apache/hadoop/commit/abe5358143720085498613d399be3bbf01e0f131"}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-33036.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}