CVE-2025-23195

CWE-611 — XML External Entity (XXE)3 documents3 sources

Severity

7.5HIGH

EPSS

0.3%

top 49.14%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Ambari Apache Ambari

Timeline

PublishedJan 21

Latest updateJan 22

Description

An XML External Entity (XXE) vulnerability exists in the Ambari/Oozie project, allowing an attacker to inject malicious XML entities. This vulnerability occurs due to insecure parsing of XML input using the `DocumentBuilderFactory` class without disabling external entity resolution. An attacker can exploit this vulnerability to read arbitrary files on the server or perform server-side request forgery (SSRF) attacks. The issue has been fixed in both Ambari 2.7.9 and the trunk branch.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

▶NVDapache/ambari< 2.7.9

▶CVEListV5apache_software_foundation/apache_ambari< 2.7.9

🔴Vulnerability Details

GHSA

GHSA-jjxh-vpf5-jm42: An XML External Entity (XXE) vulnerability exists in the Ambari/Oozie project, allowing an attacker to inject malicious XML entities↗2025-01-22

▶

CVEList

Apache Ambari: XML External Entity (XXE) Vulnerability in Ambari/Oozie↗2025-01-21

▶