Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2023-50380

XML External Entity injection in apache ambari versions <= 2.7.7, Users are recommended to upgrade to version 2.7.8, which fixes this issue. More Details: Oozie Workflow Scheduler had a vulnerability that allowed for root-level file reading and privilege escalation from low-privilege users. The vulnerability was caused through lack of proper user input validation. This vulnerability is known as an XML External Entity (XXE) injection attack. Attackers can exploit XXE vulnerabilities to read arbitrary files on the server, including sensitive system files. In theory, it might be possible to use this to escalate privileges.

Published

2024-02-27T17:15:11.300

Last Modified

2025-03-27T20:15:20.650

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 6.5 (MEDIUM)

Weaknesses

Type: Primary
CWE-611

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	apache	ambari	< 2.7.8	Yes

References

http://www.openwall.com/lists/oss-security/2024/02/27/6 Mailing List ([email protected])
https://lists.apache.org/thread/qrt7mq7v7zyrh1qsh1gkg1m7clysvy32 Vendor Advisory ([email protected])
http://www.openwall.com/lists/oss-security/2024/02/27/6 Mailing List (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread/qrt7mq7v7zyrh1qsh1gkg1m7clysvy32 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)