CVE-2013-2192

The RPC protocol implementation in Apache Hadoop 2.x before 2.0.6-alpha, 0.23.x before 0.23.9, and 1.x before 1.2.1, when the Kerberos security features are enabled, allows man-in-the-middle attackers to disable bidirectional authentication and obtain sensitive information by forcing a downgrade to simple authentication.

Published: Jan 24, 2014
Updated: May 9, 2024
CVE: CVE-2013-2192
GHSA: GHSA-pxv5-5vmp-3jj4
Severity: Low
Exploit:

CVSS v2:

Severity: Low
Score: 3.2
AV:A/AC:H/Au:N/C:P/I:P/A:N

CWEs:

CWE-287

OWASP TOP 10:

A2 - Broken Authentication

Affected Software
References

Software	From	Fixed in
apache / hadoop	2.0.4-alpha	2.0.4-alpha.x
apache / hadoop	0.23.3	0.23.3.x
apache / hadoop	2.0.3-alpha	2.0.3-alpha.x
apache / hadoop	1.1.0	1.1.0.x
apache / hadoop	1.2.0	1.2.0.x
apache / hadoop	2.0.5-alpha	2.0.5-alpha.x
apache / hadoop	1.0.3	1.0.3.x
apache / hadoop	0.23.6	0.23.6.x
apache / hadoop	1.0.0	1.0.0.x
apache / hadoop	2.0.0-alpha	2.0.0-alpha.x
apache / hadoop	0.23.0	0.23.0.x
apache / hadoop	0.23.4	0.23.4.x
apache / hadoop	1.1.2	1.1.2.x
apache / hadoop	0.23.5	0.23.5.x
apache / hadoop	1.0.2	1.0.2.x
apache / hadoop	1.0.1	1.0.1.x
apache / hadoop	1.1.1	1.1.1.x
apache / hadoop	1.0.4	1.0.4.x
apache / hadoop	2.0.2-alpha	2.0.2-alpha.x
apache / hadoop	0.23.8	0.23.8.x
apache / hadoop	0.23.7	0.23.7.x
apache / hadoop	0.23.1	0.23.1.x
apache / hadoop	2.0.1-alpha	2.0.1-alpha.x
org.apache.hadoop / hadoop-common	2.0.0	2.0.6-alpha
org.apache.hadoop / hadoop-common	0.23.0	0.23.9

Vulnerability Database

289,689

CVE-2013-2192