[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] CVE-2023-50380: Apache Ambari: authenticated users could perform XXE to read arbitrar
From:       Brahma Reddy Battula <brahma () apache ! org>
Date:       2024-02-27 16:42:32
Message-ID: 0cc3cf0e-4b5c-287d-c157-f606d7f15cb2 () apache ! org
[Download RAW message or body]

Severity: important

Affected versions:

- Apache Ambari 2.7.0 through 2.7.7

Description:

XML External Entity injection in apache ambari versions <= 2.7.7,  Users are recommended to \
upgrade to version 2.7.8, which fixes this issue.

More Details:

Oozie Workflow Scheduler had a vulnerability that allowed for root-level file reading and \
privilege escalation from low-privilege users. The vulnerability was caused through lack of \
proper user input validation.

This vulnerability is known as an XML External Entity (XXE) injection attack. Attackers can \
exploit XXE vulnerabilities to read arbitrary files on the server, including sensitive system \
files. In theory, it might be possible to use this to escalate privileges.

References:

https://ambari.apache.org/
https://www.cve.org/CVERecord?id=CVE-2023-50380


[prev in list] [next in list] [prev in thread] [next in thread]