ambari-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Yusaku Sako <yus...@hortonworks.com>
Subject Re: [CVE-2015-3186] Apache Ambari XSS vulnerability
Date Tue, 13 Oct 2015 01:36:05 GMT
Adding the correct user@ambari.apache.org list.

Yusaku

From: Yusaku Sako
Date: Monday, October 12, 2015 at 6:34 PM
To: Mark Kerzner, Yosef Kerzner, "users@ambari.apache.org<mailto:users@ambari.apache.org>",
"dev@ambari.apache.org<mailto:dev@ambari.apache.org>", "security@apache.org<mailto:security@apache.org>",
"oss-security@lists.openwall.com<mailto:oss-security@lists.openwall.com>", "bugtraq@securityfocus.com<mailto:bugtraq@securityfocus.com>"
Subject: [CVE-2015-3186] Apache Ambari XSS vulnerability


CVE-2015-3186: Apache Ambari XSS vulnerability

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected: 1.7.0 to 2.0.2

Versions Fixed: 2.1.0

Description: Ambari allows authenticated cluster operator users to specify arbitrary text
as a note when saving configuration changes. This note field is rendered as is (unescaped
HTML).  This exposes opportunities for XSS.

Mitigation: Ambari users should upgrade to version 2.1.0 or above.

Version 2.1.0 onwards properly HTML-escapes the note field associated with configuration changes.

Credit: Hacker Y on the Elephant Scale team.

References: https://cwiki.apache.org/confluence/display/AMBARI/Ambari+Vulnerabilities

Mime
View raw message