ambari-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Yusaku Sako <yus...@hortonworks.com>
Subject [CVE-2015-3270] A non-administrative user can escalate themselves to have administrative privileges remotely
Date Tue, 13 Oct 2015 01:42:52 GMT
CVE-2015-3270: A non-administrative user can escalate themselves to have administrative privileges
remotely

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected: 1.7.0, 2.0.0, 2.0.1, 2.1.0

Versions Fixed: 2.0.2, 2.1.1

Description: An authenticated user can remotely escalate his/her permissions to administrative
level. This can escalate their privileges for access through the API as well from the UI.

Mitigation: Ambari users should upgrade to version 2.1.1 or above (2.0.0 and 2.0.1 can be
upgraded to 2.0.2).

In fixed versions of Ambari (2.0.2; 2.1.1 and onward), access to the user resource endpoint
is protected such that only a user with administrator privileges can esculate a user's privileges.
A user, however, may still access the endpoint but may only change their own password.

Credit: This issue was discovered by security analysts at Blue Cross Blue Shield Association
Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message