Main Vulnerability Database Vulnerabilities #VU38996

XML injection in Ambari - CVE-2017-5654

Published: May 13, 2017 / Updated: February 8, 2021

Vulnerability identifier: #VU38996

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2017-5654

CWE-ID: CWE-91

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Apache Foundation

Affected software:
Ambari

Detailed vulnerability description

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

In Ambari 2.4.x (before 2.4.3) and Ambari 2.5.0, an authorized user of the Ambari Hive View may be able to gain unauthorized read access to files on the host where the Ambari server executes.

How to mitigate CVE-2017-5654

Install update from vendor's website.

Sources

https://cwiki.apache.org/confluence/display/AMBARI/Ambari+Vulnerabilities#AmbariVulnerabilities-FixedinAmbari2.4.3
https://cwiki.apache.org/confluence/display/AMBARI/Ambari+Vulnerabilities#AmbariVulnerabilities-FixedinAmbari2.5.1

XML injection in Ambari - CVE-2017-5654

Detailed vulnerability description

How to mitigate CVE-2017-5654

Sources

Please verify you're human