Table of Contents |
---|
Fixed in Ambari 2.7.4
...
Anchor CVE-2020-1936 CVE-2020-1936
CVE-2020-1936 :cross-site scripting vulnerability in Ambari Alerts
Severity: Medium
Vendor: Cloudera
Versions Affected: prior to Ambari 2.7.4
Versions Fixed: Ambari 2.7.4
Description:
Special characters should be encoded when displayed in Ambari Views. If special characters are not encoded, then scripts (<script>alert("xss!")</script>) may be executed due to user input. For example, issues may occur by placing special character in the Display Name field of an Ambari View.
Mitigation:
Upgraded to Ambari 2.7.4
Fixed in Ambari 2.7.0
...
Anchor CVE-2018-8042 CVE-2018-8042
...
Credit: New York Life Insurance Company
...
Anchor CVE-2017-5655 CVE-2017-5655
...
Credit: New York Life Insurance Company
...
Anchor CVE-2017-5655 CVE-2017-5655
...
Mitigation: Ambari users should upgrade to version 2.4.0 or above.
Version 2.4.0 onwards properly enforces that agent-supplied host names are valid hostnames before attempting to execute OpenSSL commands to create SSL certificates. However, this feature may be disabled by setting security.agent.hostname.validate to "false" in the ambari.properties file. It is strongly recommended that the default value of security.agent.hostname.validate is not changed since it may enable this vulnerability.
Credit: David Jorm
...
Anchor CVE-2016-4976 CVE-2016-4976
...
Credit: This issue was discovered by Mateusz Olejarka (SecuRing).
Anchor CVE-2015-3186 CVE-2015-3186
CVE-2015-3186: Apache Ambari XSS vulnerability
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected: 1.7.0 to 2.0.2
Versions Fixed: 2.1.0
Description: Ambari allows authenticated cluster operator users to specify arbitrary text as a note when saving configuration changes. This note field is rendered as is (unescaped HTML). This exposes opportunities for XSS.
Mitigation: Ambari users should upgrade to version 2.1.0 or above.
Version 2.1.0 onwards properly HTML-escapes the note field associated with configuration changes.
Credit: Hacker Y on the Elephant Scale team.