CVE-2013-2192
Apache Hadoop 2.x < 2.0.6-alpha, 0.23.x < 0.23.9, 1.x < 1.2.1 - Authentication Downgrade via RPC Protocol
Title source: llmDescription
The RPC protocol implementation in Apache Hadoop 2.x before 2.0.6-alpha, 0.23.x before 0.23.9, and 1.x before 1.2.1, when the Kerberos security features are enabled, allows man-in-the-middle attackers to disable bidirectional authentication and obtain sensitive information by forcing a downgrade to simple authentication.
References (5)
Core 5
Core References
Vendor Advisory vendor-advisory
x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2014-0037.html
Various Sources x_refsource_confirm
https://www.cloudera.com/documentation/other/security-bulletins/topics/csb_topic_1.html
Vendor Advisory vendor-advisory
x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2014-0400.html
Third Party Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/57915
Mailing List mailing-list
x_refsource_fulldisc
http://seclists.org/fulldisclosure/2013/Aug/251
Scores
EPSS
0.0013
EPSS Percentile
31.3%
Details
CWE
CWE-287
Status
published
Products (24)
apache/hadoop
0.23.0
apache/hadoop
0.23.1
apache/hadoop
0.23.3
apache/hadoop
0.23.4
apache/hadoop
0.23.5
apache/hadoop
0.23.6
apache/hadoop
0.23.7
apache/hadoop
0.23.8
apache/hadoop
1.0.0
apache/hadoop
1.0.1
... and 14 more
Published
Jan 24, 2014
Tracked Since
Feb 18, 2026