CVE-2013-6446
CVE-2013-6446 is a low-severity vulnerability in Cloudera Cdh with a CVSS 3.x base score of 3.1. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-264.
Key facts
- Severity: Low (CVSS 3.x base score 3.1)
- CVSS v2: 3.5
- EPSS exploit prediction: 1% (55th percentile)
- Actively exploited: Not listed in CISA KEV
- Weakness: CWE-264
- Affected product: Cloudera Cdh
- Published:
- Last modified:
Description
The JobHistory Server in Cloudera CDH 4.x before 4.6.0 and 5.x before 5.0.0 Beta 2, when using MRv2/YARN with HTTP authentication, allows remote authenticated users to obtain sensitive job information by leveraging failure to enforce job ACLs.
Frequently asked questions
- What is CVE-2013-6446?
- The JobHistory Server in Cloudera CDH 4.x before 4.6.0 and 5.x before 5.0.0 Beta 2, when using MRv2/YARN with HTTP authentication, allows remote authenticated users to obtain sensitive job information by leveraging failure to enforce job ACLs.
- How severe is CVE-2013-6446?
- CVE-2013-6446 has a CVSS 3.x base score of 3.1, rated low severity. It is exploitable over network with high attack complexity, requires low privileges and no user interaction. Impact on confidentiality is low, integrity none, and availability none.
- Is CVE-2013-6446 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 1% (55th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2013-6446?
- CVE-2013-6446 primarily affects Cloudera Cdh. In total, 17 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2013-6446?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- When was CVE-2013-6446 published?
- CVE-2013-6446 was published on 2017-03-23 and last updated on 2026-06-17.
References
- http://www.securityfocus.com/bid/97068
- https://www.cloudera.com/documentation/other/security-bulletins/topics/csb_topic_1.html#concept_mfb_qpm_4n
Affected products (17)
- cpe:2.3:a:cloudera:cdh:4.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:cloudera:cdh:4.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:cloudera:cdh:4.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:cloudera:cdh:4.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:cloudera:cdh:4.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:cloudera:cdh:4.1.3:*:*:*:*:*:*:*
- cpe:2.3:a:cloudera:cdh:4.1.4:*:*:*:*:*:*:*
- cpe:2.3:a:cloudera:cdh:4.1.5:*:*:*:*:*:*:*
- cpe:2.3:a:cloudera:cdh:4.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:cloudera:cdh:4.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:cloudera:cdh:4.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:cloudera:cdh:4.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:cloudera:cdh:4.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:cloudera:cdh:4.3.2:*:*:*:*:*:*:*
- cpe:2.3:a:cloudera:cdh:4.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:cloudera:cdh:4.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:cloudera:cdh:5.0.0:beta:*:*:*:*:*:*
More vulnerabilities in Cloudera Cdh
- CVE-2016-4572 — High (CVSS 8.8): In Cloudera CDH before 5.7.1, Impala REVOKE ALL ON SERVER commands do not revoke all privileges.
- CVE-2015-7831 — High (CVSS 8.8): In Cloudera Hue, there is privilege escalation by a read-only user when CDH 5.x brefore 5.4.9 is used.
- CVE-2019-7319 — High (CVSS 8.3): An issue was discovered in Cloudera Hue 6.0.0 through 6.1.0. When using one of following authentication backends:…
- CVE-2016-5724 — High (CVSS 7.5): Cloudera CDH before 5.9 has Potentially Sensitive Information in Diagnostic Support Bundles.
- CVE-2017-9325 — High (CVSS 7.5): The provided secure solrconfig.xml sample configuration does not enforce Sentry authorization on /update/json/docs.
- CVE-2016-6605 — High (CVSS 7.5): Impala in CDH 5.2.0 through 5.7.2 and 5.8.0 allows remote attackers to bypass Setry authorization.
All CVEs affecting Cloudera Cdh →
Other CWE-264 (Permissions, Privileges, and Access Controls) vulnerabilities
- CVE-2016-8363 — Critical (CVSS 10.0): An issue was discovered in Moxa OnCell OnCellG3470A-LTE, AWK-1131A/3131A/4131A Series, AWK-3191 Series, AWK-5232/6232…
- CVE-2016-7457 — Critical (CVSS 10.0): VMware vRealize Operations (aka vROps) 6.x before 6.4.0 allows remote authenticated users to gain privileges, or halt…
- CVE-2015-7425 — Critical (CVSS 10.0): The Data Protection component in the VMware vSphere GUI in IBM Tivoli Storage Manager for Virtual Environments: Data…
- CVE-2015-8267 — Critical (CVSS 10.0): The PasswordReset.Controllers.ResetController.ChangePasswordIndex method in PasswordReset.dll in Dovestones AD Self…
- CVE-2015-7919 — Critical (CVSS 10.0): SearchBlox 8.3 before 8.3.1 allows remote attackers to write to the config file, and consequently cause a denial of…
- CVE-2015-7071 — Critical (CVSS 10.0): The File Bookmark component in Apple OS X before 10.11.2 allows attackers to bypass a sandbox protection mechanism for…
Browse all CWE-264 (Permissions, Privileges, and Access Controls) vulnerabilities →