Versions Compared

Old Version 33

changes.mady.by.user Robert Levas

Saved on

compared with

New Version Current

changes.mady.by.user Szabolcs Béki

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents

Fixed in Ambari 2.7.4

...

Anchor
CVE-2020-1936
CVE-2020-1936

CVE-2020-1936 :cross-site scripting vulnerability in Ambari Alerts 

Severity: Medium 

Vendor: Cloudera

Versions Affected: prior to Ambari 2.7.4

Versions Fixed: Ambari 2.7.4

Description:

Special characters should be encoded when displayed in Ambari Views. If special characters are not encoded, then scripts (<script>alert("xss!")</script>) may be executed due to user input. For example, issues may occur by placing special character in the Display Name field of an Ambari View.


Mitigation:

Upgraded to Ambari 2.7.4


Fixed in Ambari 2.7.0

...

Anchor
CVE-2018-8042
CVE-2018-8042

...

Credit: New York Life Insurance Company

 


...

Anchor
CVE-2017-5655
CVE-2017-5655

...

Credit: New York Life Insurance Company 


...

Anchor
CVE-2017-5655
CVE-2017-5655

...

Mitigation: Ambari users should upgrade to version 2.4.0 or above.
Version 2.4.0 onwards properly enforces that agent-supplied host names are valid hostnames before attempting to execute OpenSSL commands to create SSL certificates. However, this feature may be disabled by setting security.agent.hostname.validate to "false" in the ambari.properties file. It is strongly recommended that the default value of security.agent.hostname.validate is not changed since it may enable this vulnerability.

Credit: David Jorm 


...

Anchor
CVE-2016-4976
CVE-2016-4976

...

Credit: This issue was discovered by  Mateusz Olejarka (SecuRing). 

 


Anchor
CVE-2015-3186
CVE-2015-3186

CVE-2015-3186: Apache Ambari XSS vulnerability

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected: 1.7.0 to 2.0.2

Versions Fixed: 2.1.0

Description: Ambari allows authenticated cluster operator users to specify arbitrary text as a note when saving configuration changes. This note field is rendered as is (unescaped HTML).  This exposes opportunities for XSS.

Mitigation: Ambari users should upgrade to version 2.1.0 or above.

Version 2.1.0 onwards properly HTML-escapes the note field associated with configuration changes.

Credit: Hacker Y on the Elephant Scale team.