oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

[CVE-2015-3186] Apache Ambari XSS vulnerability

From: Yusaku Sako <yusaku () hortonworks com>
Date: Tue, 13 Oct 2015 01:36:05 +0000
Adding the correct user () ambari apache org list.

Yusaku

From: Yusaku Sako
Date: Monday, October 12, 2015 at 6:34 PM
To: Mark Kerzner, Yosef Kerzner, "users () ambari apache org<mailto:users () ambari apache org>", "dev () ambari apache 
org<mailto:dev () ambari apache org>", "security () apache org<mailto:security () apache org>", "oss-security () lists 
openwall com<mailto:oss-security () lists openwall com>", "bugtraq () securityfocus com<mailto:bugtraq () securityfocus 
com>"
Subject: [CVE-2015-3186] Apache Ambari XSS vulnerability


CVE-2015-3186: Apache Ambari XSS vulnerability

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected: 1.7.0 to 2.0.2

Versions Fixed: 2.1.0

Description: Ambari allows authenticated cluster operator users to specify arbitrary text as a note when saving 
configuration changes. This note field is rendered as is (unescaped HTML).  This exposes opportunities for XSS.

Mitigation: Ambari users should upgrade to version 2.1.0 or above.

Version 2.1.0 onwards properly HTML-escapes the note field associated with configuration changes.

Credit: Hacker Y on the Elephant Scale team.

References: https://cwiki.apache.org/confluence/display/AMBARI/Ambari+Vulnerabilities
Previous By Date Next
Previous By Thread Next

Current thread: