...
Mitigation: Ambari users should upgrade to version 2.1.0 or above or obtain the latest source from github0 or above. Version 2.1.0 onwards the proxy end point (api/v1/proxy) has been disabled. In addition a configurable parameter (proxy.allowed.hostports) is introduced, in config file ambari.properties, to explicitly specify a list of host/port that can be proxied to when using the utility.
...
CVE-2015-3186: Apache Ambari XSS vulnerability
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected: Ambari 1.7.0 to 2.0.2
Description: Ambari allows authenticated cluster operator users to specify arbitrary text as a note when saving configuration changes. This note field is rendered as is (unescaped HTML). This exposes opportunities for XSS.
Mitigation: Ambari users should upgrade to version 2.1.0 or above or obtain the latest source from github.
Version 2.1.0 onwards properly HTML-escapes the note field associated with configuration changes.
Credit: Hacker Y on the Elephant Scale team.