Description
In Apache Hadoop versions 3.0.0-alpha2 to 3.0.0, 2.9.0 to 2.9.2, 2.8.0 to 2.8.5, any users can access some servlets without authentication when Kerberos authentication is enabled and SPNEGO through HTTP is not enabled.
Remediation
References
https://lists.apache.org/thread.html/r17d94d132b207dad221595fd8b8b18628f5f5ec7e3f5be939ecd8928%40%3Ccommits.druid.apache.org%3E
https://lists.apache.org/thread.html/r2c7f899911a04164ed1707083fcd4135f8427e04778c87d83509b0da%40%3Cgeneral.hadoop.apache.org%3E
https://lists.apache.org/thread.html/r46447f38ea8c89421614e9efd7de5e656186d35e10fc97cf88477a01%40%3Ccommits.druid.apache.org%3E
https://lists.apache.org/thread.html/r4dddf1705dbedfa94392913b2dad1cd2d1d89040facd389eea0b3510%40%3Ccommits.druid.apache.org%3E
https://lists.apache.org/thread.html/r74825601e93582167eb7cdc2f764c74c9c6d8006fa90018562fda60f%40%3Ccommits.druid.apache.org%3E
https://lists.apache.org/thread.html/r79b15c5b66c6df175d01d7560adf0cd5c369129b9a161905e0339927%40%3Ccommits.druid.apache.org%3E
https://lists.apache.org/thread.html/rb21df54a4e39732ce653d2aa5672e36a792b59eb6717f2a06bb8d02a%40%3Ccommits.druid.apache.org%3E
https://lists.apache.org/thread.html/rb241464d83baa3749b08cd3dabc8dba70a9a9027edcef3b5d4c24ef4%40%3Ccommits.druid.apache.org%3E
https://lists.apache.org/thread.html/rbe25cac0f499374f8ae17a4a44a8404927b56de28d4c41940d82b7a4%40%3Ccommits.druid.apache.org%3E
https://lists.apache.org/thread.html/reea5eb8622afbfbfca46bc758f79db83d90a3263a906c4d1acba4971%40%3Ccommits.druid.apache.org%3E
https://lists.apache.org/thread.html/rf9dfa8b77585c9227db9637552eebb2ab029255a0db4eb76c2b6c4cf%40%3Cdev.druid.apache.org%3E
https://security.netapp.com/advisory/ntap-20201016-0005/
Related Vulnerabilities
CVE-2023-40349 Vulnerability in maven package org.jenkins-ci.plugins:gogs-webhook
CVE-2023-48796 Vulnerability in maven package org.apache.dolphinscheduler:dolphinscheduler-master
CVE-2020-27216 Vulnerability in maven package org.mortbay.jetty:jetty
CVE-2023-35141 Vulnerability in maven package org.jenkins-ci.main:jenkins-core
CVE-2020-7663 Vulnerability in npm package websocket-extensions