...
In fixed versions of Ambari (2.0.2; 2.1.1 and onward), access to the user resource endpoint is protected such that only a user with administrator privileges can esculate a user's privileges. A user, however, may still access the endpoint but may only change their own password.
Credit: This issue was discovered by security analysts at Blue Cross Blue Shield Association
Fixed in Ambari 2.1.0
...
CVE-2015-1775: Apache Ambari Server Side Request Forgery vulnerability
...