CVE-2016-3086
Exposure of Sensitive Information to an Unauthorized Actor in Apache Hadoop
9.8
CRITICAL
CVSS 3.1
EPSS 3.6%
Description
The YARN NodeManager in Apache Hadoop 2.6.x before 2.6.5 and 2.7.x before 2.7.3 can leak the password for credential store provider used by the NodeManager to YARN Applications.
How to fix CVE-2016-3086
To remediate CVE-2016-3086, upgrade the affected package to a fixed version below.
- Maven/org.apache.hadoop:hadoop-yarn-server-nodemanager—upgrade to 2.6.5 or later
Is CVE-2016-3086 being exploited?
Low — EPSS is 3.6%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- >= 2.6.0, < 2.6.5
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.8 | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |