Skip to main content

Hadoop CVE-2013-2192

LOW
Improper Authentication (CWE-287)
2014-01-24 secalert@redhat.com
3.2
CVSS 2.0 · NVD

Severity by source

NVD PRIMARY
3.2 LOW
AV:A/AC:H/Au:N/C:P/I:P/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

AV:A/AC:H/Au:N/C:P/I:P/A:N
Attack Vector
Adjacent
Attack Complexity
High
Confidentiality
P
Integrity
P
Availability
None

Lifecycle Timeline

1
CVE Published
Jan 24, 2014 - 18:55 cve.org
LOW 3.2

DescriptionCVE.org

The RPC protocol implementation in Apache Hadoop 2.x before 2.0.6-alpha, 0.23.x before 0.23.9, and 1.x before 1.2.1, when the Kerberos security features are enabled, allows man-in-the-middle attackers to disable bidirectional authentication and obtain sensitive information by forcing a downgrade to simple authentication.

AnalysisAI

The RPC protocol implementation in Apache Hadoop 2.x before 2.0.6-alpha, 0.23.x before 0.23.9, and 1.x before 1.2.1, when the Kerberos security features are enabled, allows man-in-the-middle. Rated low severity (CVSS 3.2). This Improper Authentication vulnerability could allow attackers to bypass authentication mechanisms to gain unauthorized access.

Technical ContextAI

This vulnerability is classified as Improper Authentication (CWE-287), which allows attackers to bypass authentication mechanisms to gain unauthorized access. The RPC protocol implementation in Apache Hadoop 2.x before 2.0.6-alpha, 0.23.x before 0.23.9, and 1.x before 1.2.1, when the Kerberos security features are enabled, allows man-in-the-middle attackers to disable bidirectional authentication and obtain sensitive information by forcing a downgrade to simple authentication. Affected products include: Apache Hadoop. Version information: before 2.0.6.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Implement multi-factor authentication, enforce strong password policies, use proven authentication frameworks.

More in Hadoop

View all
CVE-2022-26612 CRITICAL POC
9.8 Apr 07

In Apache Hadoop, The unTar function uses unTarUsingJava function on Windows and the built-in tar utility on Unix and ot

CVE-2018-8009 HIGH POC
8.8 Nov 13

Apache Hadoop 3.1.0, 3.0.0-alpha to 3.0.2, 2.9.0 to 2.9.1, 2.8.0 to 2.8.4, 2.0.0-alpha to 2.7.6, 0.23.0 to 0.23.11 is ex

CVE-2016-3086 CRITICAL
9.8 Sep 05

The YARN NodeManager in Apache Hadoop 2.6.x before 2.6.5 and 2.7.x before 2.7.3 can leak the password for credential sto

CVE-2012-4449 CRITICAL
9.8 Oct 30

Apache Hadoop before 0.23.4, 1.x before 1.0.4, and 2.x before 2.0.2 generate token passwords using a 20-bit secret when

CVE-2022-25168 CRITICAL
9.8 Aug 04

Apache Hadoop's FileUtil.unTar(File, File) API does not escape the input file name before being passed to the shell. Rat

CVE-2019-17195 CRITICAL
9.8 Oct 15

Connect2id Nimbus JOSE+JWT before v7.9 can throw various uncaught exceptions while parsing a JWT, which could result in

CVE-2016-5393 HIGH
8.8 Nov 29

In Apache Hadoop 2.6.x before 2.6.5 and 2.7.x before 2.7.3, a remote user who can authenticate with the HDFS NameNode ca

CVE-2016-6811 HIGH
8.8 Apr 11

In Apache Hadoop 2.x before 2.7.4, a user who can escalate to yarn user can possibly run arbitrary commands as root user

CVE-2018-11766 HIGH
8.8 Nov 27

In Apache Hadoop 2.7.4 to 2.7.6, the security fix for CVE-2016-6811 is incomplete. Rated high severity (CVSS 8.8), this

CVE-2015-7430 HIGH
8.4 Jan 02

The Hadoop connector 1.1.1, 2.4, 2.5, and 2.7.0-0 before 2.7.0-3 for IBM Spectrum Scale and General Parallel File System

CVE-2017-3166 HIGH
7.8 Nov 13

In Apache Hadoop versions 2.6.1 to 2.6.5, 2.7.0 to 2.7.3, and 3.0.0-alpha1, if a file in an encryption zone with access

CVE-2012-3376 HIGH
7.5 Jul 12

DataNodes in Apache Hadoop 2.0.0 alpha does not check the BlockTokens of clients when Kerberos is enabled and the DataNo

Share

CVE-2013-2192 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy