CVE-2018-11799

CWE-20 — Improper Input Validation4 documents4 sources

Severity

6.5MEDIUM

EPSS

0.2%

top 52.64%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Oozie Apache Software Foundation Apache Oozie

Timeline

PublishedDec 19

Latest updateDec 20

Description

Vulnerability allows a user of Apache Oozie 3.1.3-incubating to 5.0.0 to impersonate other users. The malicious user can construct an XML that results workflows running in other user's name.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages3 packages

▶NVDapache/oozie3.1.3 — 5.1.0+1

▶Mavenorg.apache.oozie:oozie-core< 5.1.0

▶CVEListV5apache_software_foundation/apache_oozieApache Oozie 3.1.3-incubating to 5.0.0

🔴Vulnerability Details

OSV

Moderate severity vulnerability that affects org.apache.oozie:oozie-core↗2018-12-20

▶

GHSA

Moderate severity vulnerability that affects org.apache.oozie:oozie-core↗2018-12-20

▶

CVEList

CVE-2018-11799: Vulnerability allows a user of Apache Oozie 3↗2018-12-19

▶