Vulnerability Details : CVE-2013-2192
The RPC protocol implementation in Apache Hadoop 2.x before 2.0.6-alpha, 0.23.x before 0.23.9, and 1.x before 1.2.1, when the Kerberos security features are enabled, allows man-in-the-middle attackers to disable bidirectional authentication and obtain sensitive information by forcing a downgrade to simple authentication.
Vulnerability category: BypassGain privilege
Products affected by CVE-2013-2192
- cpe:2.3:a:apache:hadoop:0.23.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:hadoop:1.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:hadoop:0.23.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:hadoop:1.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:hadoop:2.0.0:alpha:*:*:*:*:*:*
- cpe:2.3:a:apache:hadoop:1.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:apache:hadoop:1.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:apache:hadoop:2.0.1:alpha:*:*:*:*:*:*
- cpe:2.3:a:apache:hadoop:2.0.2:alpha:*:*:*:*:*:*
- cpe:2.3:a:apache:hadoop:0.23.3:*:*:*:*:*:*:*
- cpe:2.3:a:apache:hadoop:0.23.4:*:*:*:*:*:*:*
- cpe:2.3:a:apache:hadoop:1.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:apache:hadoop:1.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:hadoop:2.0.3:alpha:*:*:*:*:*:*
- cpe:2.3:a:apache:hadoop:0.23.7:*:*:*:*:*:*:*
- cpe:2.3:a:apache:hadoop:0.23.8:*:*:*:*:*:*:*
- cpe:2.3:a:apache:hadoop:1.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:apache:hadoop:2.0.4:alpha:*:*:*:*:*:*
- cpe:2.3:a:apache:hadoop:2.0.5:alpha:*:*:*:*:*:*
- cpe:2.3:a:apache:hadoop:1.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:hadoop:1.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:hadoop:0.23.5:*:*:*:*:*:*:*
- cpe:2.3:a:apache:hadoop:0.23.6:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2013-2192
0.09%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 36 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2013-2192
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
3.2
|
LOW | AV:A/AC:H/Au:N/C:P/I:P/A:N |
3.2
|
4.9
|
NIST |
CWE ids for CVE-2013-2192
-
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.Assigned by: nvd@nist.gov (Primary)
References for CVE-2013-2192
-
http://rhn.redhat.com/errata/RHSA-2014-0400.html
RHSA-2014:0400 - Security Advisory - Red Hat Customer Portal
-
http://seclists.org/fulldisclosure/2013/Aug/251
Full Disclosure: CVE-2013-2192: Apache Hadoop Man in the Middle Vulnerability
-
https://www.cloudera.com/documentation/other/security-bulletins/topics/csb_topic_1.html
Cloudera Security Bulletins | 5.x | Cloudera Documentation
-
http://rhn.redhat.com/errata/RHSA-2014-0037.html
RHSA-2014:0037 - Security Advisory - Red Hat Customer Portal
Jump to