CVSS: 3.2EPSS: 0%CPEs: 23EXPL: 0CVE-2013-2192 – hadoop: man-in-the-middle vulnerability
https://notcve.org/view.php?id=CVE-2013-2192
The RPC protocol implementation in Apache Hadoop 2.x before 2.0.6-alpha, 0.23.x before 0.23.9, and 1.x before 1.2.1, when the Kerberos security features are enabled, allows man-in-the-middle attackers to disable bidirectional authentication and obtain sensitive information by forcing a downgrade to simple authentication. La implementación del protocolo RPC en Apache Hadoop v2.x anterior a v2.0.6-alpha, v0.23.x anterior a v0.23.9, y v1.x anterior a v1.2.1, cuando las características de seguridad de Kerberos están habilitadas, permite a atacantes man in the middle deshabilitar la autenticación bidireccional y obtener información sensible forzando una desactualización a una autenticación simple. • http://rhn.redhat.com/errata/RHSA-2014-0037.html http://rhn.redhat.com/errata/RHSA-2014-0400.html http://seclists.org/fulldisclosure/2013/Aug/251 http://secunia.com/advisories/57915 https://www.cloudera.com/documentation/other/security-bulletins/topics/csb_topic_1.html https://access.redhat.com/security/cve/CVE-2013-2192 https://bugzilla.redhat.com/show_bug.cgi?id=1001326 • CWE-287: Improper Authentication •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2012-3376
https://notcve.org/view.php?id=CVE-2012-3376
DataNodes in Apache Hadoop 2.0.0 alpha does not check the BlockTokens of clients when Kerberos is enabled and the DataNode has checked out the same BlockPool twice from a NodeName, which might allow remote clients to read arbitrary blocks, write to blocks to which they only have read access, and have other unspecified impacts. DataNodes en Apache Hadoop v2.0.0 alpha comprueba la BlockTokens de los clientes cuando Kerberos está habilitado y el DataNode ha comproabado el mismo BlockPool dos veces desde NodeName, permitiendo a clientes remotos leer bloques arbitrarios, escribir en los bloques a los que sólo tiene acceso de lectura y tener otros efectos no especificados. • http://archives.neohapsis.com/archives/bugtraq/2012-07/0049.html http://www.securityfocus.com/bid/54358 https://www.cloudera.com/documentation/other/security-bulletins/topics/csb_topic_1.html • CWE-310: Cryptographic Issues •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2012-2945 – Hadoop 1.0.3 Symlink
https://notcve.org/view.php?id=CVE-2012-2945
Hadoop 1.0.3 contains a symlink vulnerability. Hadoop versión 1.0.3, contiene una vulnerabilidad de tipo symlink. Hadoop version 1.0.3 suffers from a local privilege escalation symlink vulnerability. • https://seclists.org/fulldisclosure/2012/Jul/3 https://security-tracker.debian.org/tracker/CVE-2012-2945 • CWE-59: Improper Link Resolution Before File Access ('Link Following') •
CVSS: 6.5EPSS: 0%CPEs: 13EXPL: 0CVE-2012-1574
https://notcve.org/view.php?id=CVE-2012-1574
The Kerberos/MapReduce security functionality in Apache Hadoop 0.20.203.0 through 0.20.205.0, 0.23.x before 0.23.2, and 1.0.x before 1.0.2, as used in Cloudera CDH CDH3u0 through CDH3u2, Cloudera hadoop-0.20-sbin before 0.20.2+923.197, and other products, allows remote authenticated users to impersonate arbitrary cluster user accounts via unspecified vectors. La funcionalidad Kerberos/MapReduce en Apache Hadoop v0.20.203.0 a v0.20.205.0, v0.23.x antes de v0.23.2 y v1.0.x antes de v1.0.2, tal y como se utiliza en Cloudera CDH CDH3u0 a CDH3u2, Cloudera Hadoop-0.20-sbin antes de v0.20.2+923.197, y otros productos, permite hacerse pasar por usuarios de cluster de su elección a usuarios remotos autenticados a través de vectores no especificados. • http://archives.neohapsis.com/archives/bugtraq/2012-04/0051.html http://seclists.org/fulldisclosure/2012/Apr/70 http://secunia.com/advisories/48775 http://secunia.com/advisories/48776 http://www.securityfocus.com/bid/52939 https://ccp.cloudera.com/display/DOC/Cloudera+Security+Bulletin https://www.cloudera.com/documentation/other/security-bulletins/topics/csb_topic_1.html • CWE-310: Cryptographic Issues •