oss-sec mailing list archives
[CVE-2015-3186] Apache Ambari XSS vulnerability
From: Yusaku Sako <yusaku () hortonworks com>
Date: Tue, 13 Oct 2015 01:36:05 +0000
Adding the correct user () ambari apache org list. Yusaku From: Yusaku Sako Date: Monday, October 12, 2015 at 6:34 PM To: Mark Kerzner, Yosef Kerzner, "users () ambari apache org<mailto:users () ambari apache org>", "dev () ambari apache org<mailto:dev () ambari apache org>", "security () apache org<mailto:security () apache org>", "oss-security () lists openwall com<mailto:oss-security () lists openwall com>", "bugtraq () securityfocus com<mailto:bugtraq () securityfocus com>" Subject: [CVE-2015-3186] Apache Ambari XSS vulnerability CVE-2015-3186: Apache Ambari XSS vulnerability Severity: Important Vendor: The Apache Software Foundation Versions Affected: 1.7.0 to 2.0.2 Versions Fixed: 2.1.0 Description: Ambari allows authenticated cluster operator users to specify arbitrary text as a note when saving configuration changes. This note field is rendered as is (unescaped HTML). This exposes opportunities for XSS. Mitigation: Ambari users should upgrade to version 2.1.0 or above. Version 2.1.0 onwards properly HTML-escapes the note field associated with configuration changes. Credit: Hacker Y on the Elephant Scale team. References: https://cwiki.apache.org/confluence/display/AMBARI/Ambari+Vulnerabilities
Current thread:
- [CVE-2015-3186] Apache Ambari XSS vulnerability Yusaku Sako (Oct 12)