Apache Hadoop Jetty XSS

This script is Copyright (C) 2011-2014 Tenable Network Security, Inc.


Synopsis :

The remote web server has a cross-site scripting vulnerability.

Description :

The version of Apache Hadoop running on the remote host has a cross-
site scripting vulnerability. This is due to a bug in Jetty, the
underlying web server. When Jetty displays a directory listing,
arbitrary text can be inserted into the page. This affects all
Hadoop components that use the Jetty web server.

A remote attacker could exploit this by tricking a user into making a
maliciously crafted request, resulting in the execution of arbitrary
script code.

It is likely this version of Hadoop has other security vulnerabilities,
though Nessus did not check for those issues.

See also :

https://issues.apache.org/jira/browse/HADOOP-6882
http://hadoop.apache.org/common/docs/r0.20.203.0/releasenotes.html

Solution :

Upgrade to Hadoop 0.20.203.0 or a later, stable version.

Risk factor :

Medium / CVSS Base Score : 4.3
(CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N)
CVSS Temporal Score : 3.7
(CVSS2#E:ND/RL:OF/RC:C)
Public Exploit Available : true

Family: CGI abuses : XSS

Nessus Plugin ID: 55975 ()

Bugtraq ID: 34800

CVE ID: CVE-2009-1524