ambari-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Yusaku Sako <>
Subject Re: [CVE-2015-3186] Apache Ambari XSS vulnerability
Date Tue, 13 Oct 2015 01:36:05 GMT
Adding the correct list.


From: Yusaku Sako
Date: Monday, October 12, 2015 at 6:34 PM
To: Mark Kerzner, Yosef Kerzner, "<>",
"<>", "<>",
"<>", "<>"
Subject: [CVE-2015-3186] Apache Ambari XSS vulnerability

CVE-2015-3186: Apache Ambari XSS vulnerability

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected: 1.7.0 to 2.0.2

Versions Fixed: 2.1.0

Description: Ambari allows authenticated cluster operator users to specify arbitrary text
as a note when saving configuration changes. This note field is rendered as is (unescaped
HTML).  This exposes opportunities for XSS.

Mitigation: Ambari users should upgrade to version 2.1.0 or above.

Version 2.1.0 onwards properly HTML-escapes the note field associated with configuration changes.

Credit: Hacker Y on the Elephant Scale team.


View raw message