Multiple vulnerabilities in Apache Gobblin
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 2 |
| CVE-ID | CVE-2021-36151 CVE-2021-36152 |
| CWE-ID | CWE-312 CWE-295 |
| Exploitation vector | Local network |
| Public exploit | N/A |
| Vulnerable software |
Apache Gobblin Server applications / Database software |
| Vendor | Apache Foundation |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
1) Cleartext storage of sensitive information
EUVDB-ID: #VU60290
Risk: Low
CVSSv3.1: 6.2 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-36151
CWE-ID:
CWE-312 - Cleartext Storage of Sensitive Information
Exploit availability: No
DescriptionThe vulnerability allows a local user to gain access to sensitive information.
The vulnerability exists due to Apache Gobblin stores the Hadoop token in clear text inside a temporary file, accessible to all local users. A local user can obtain the token and gain access to the Hadoop database.
Install updates from vendor's website.
Vulnerable software versionsApache Gobblin: 0.11.0 - 0.15.0
CPE2.3- cpe:2.3:a:apache_foundation:apache_gobblin:0.15.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache_foundation:apache_gobblin:0.14.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache_foundation:apache_gobblin:0.13.0:*:*:*:*:*:*:*
http://seclists.org/oss-sec/2022/q1/121
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
The attacker would have to login to the system and perform certain actions in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Improper Certificate Validation
EUVDB-ID: #VU60289
Risk: Medium
CVSSv3.1: 4.7 [CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-36152
CWE-ID:
CWE-295 - Improper Certificate Validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform MitM attack.
The vulnerability exists due to application trusts all certificates supplied for LDAP connections in Gobblin-as-a-Service. A remote attacker with ability to intercept traffic can perform MitM attack and read or modify transferred information.
Install updates from vendor's website.
Vulnerable software versionsApache Gobblin: 0.11.0 - 0.15.0
CPE2.3- cpe:2.3:a:apache_foundation:apache_gobblin:0.15.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache_foundation:apache_gobblin:0.14.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache_foundation:apache_gobblin:0.13.0:*:*:*:*:*:*:*
http://seclists.org/oss-sec/2022/q1/120
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
