CVE-2023-50380

CWE-611 — XML External Entity (XXE)4 documents4 sources

Severity

6.5MEDIUM

EPSS

0.1%

top 71.19%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Ambari Apache Software Foundation Apache Ambari

Timeline

PublishedFeb 27

Description

XML External Entity injection in apache ambari versions <= 2.7.7, Users are recommended to upgrade to version 2.7.8, which fixes this issue. More Details: Oozie Workflow Scheduler had a vulnerability that allowed for root-level file reading and privilege escalation from low-privilege users. The vulnerability was caused through lack of proper user input validation. This vulnerability is known as an XML External Entity (XXE) injection attack. Attackers can exploit XXE vulnerabilities to read ar…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages3 packages

▶NVDapache/ambari2.7.0 — 2.7.8

▶Mavenorg.apache.ambari.contrib.views:wfmanager2.7.0 — 2.7.8

▶CVEListV5apache_software_foundation/apache_ambari2.7.0 — 2.7.7

🔴Vulnerability Details

OSV

Apache Ambari XML External Entity injection↗2024-02-27

▶

GHSA

Apache Ambari XML External Entity injection↗2024-02-27

▶

CVEList

Apache Ambari: authenticated users could perform XXE to read arbitrary files on the server↗2024-02-27

▶