cvedb.io
CVE-2017-5640
CRITICAL · CVSS 9.8
EPSS exploitation probability: 0%
Published 2017-07-10T20:29:00.237 · Last modified 2026-06-17T01:20:54.380

Summary

It was noticed that a malicious process impersonating an Impala daemon in Apache Impala (incubating) 2.7.0 to 2.8.0 could cause Impala daemons to skip authentication checks when Kerberos is enabled (but TLS is not). If the malicious server responds with 'COMPLETE' before the SASL handshake has completed, the client will consider the handshake as completed even though no exchange of credentials has happened.

Affected products

apache — impala

Does this affect you?

Add your gear to cvedb and we'll alert you only when apache ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.