CVE-2013-2192

The RPC protocol implementation in Apache Hadoop 2.x before 2.0.6-alpha, 0.23.x before 0.23.9, and 1.x before 1.2.1, when the Kerberos security features are enabled, allows man-in-the-middle attackers to disable bidirectional authentication and obtain sensitive information by forcing a downgrade to simple authentication.

Published Bysecalert@redhat.com

Published DateJan 24, 2014, 18:55

Affected Versions(2)

org.apache.hadoop:hadoop-common(Maven)

Introduced2.0.0

Fixed2.0.6-alpha

LimitN/A

org.apache.hadoop:hadoop-common(Maven)

Introduced0.23.0

Fixed0.23.9

LimitN/A

Package (Ecosystem)	Introduced	Fixed	Limit
org.apache.hadoop:hadoop-common(Maven)	2.0.0	2.0.6-alpha	N/A
org.apache.hadoop:hadoop-common(Maven)	0.23.0	0.23.9	N/A

Weakness Type (CWE):CWE-287

CVSS Metrics

Base Score

3.2

Vector String

AV:A/AC:H/Au:N/C:P/I:P/A:N

Base Severity

Version

2.0

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality (C)

PARTIAL

Integrity (I)

PARTIAL

Availability (A)

NONE

References

Weakness Type (CWE):CWE-287

CVSS Metrics

Base Score

3.2

Vector String

AV:A/AC:H/Au:N/C:P/I:P/A:N

Base Severity

Version

2.0

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality (C)

PARTIAL

Integrity (I)

PARTIAL

Availability (A)

NONE