CVSS: -EPSS: 0%CPEs: 1EXPL: 0CVE-2023-50378 – Apache Ambari: Various XSS problems
https://notcve.org/view.php?id=CVE-2023-50378
Lack of proper input validation and constraint enforcement in Apache Ambari prior to 2.7.8 Impact : As it will be stored XSS, Could be exploited to perform unauthorized actions, varying from data access to session hijacking and delivering malicious payloads. Users are recommended to upgrade to version 2.7.8 which fixes this issue. Falta de validación de entrada adecuada y aplicación de restricciones en Apache Ambari antes de 2.7.8 Impacto: como se almacenará XSS, podría explotarse para realizar acciones no autorizadas, que van desde el acceso a datos hasta el secuestro de sesiones y la entrega de payloads maliciosos. Se recomienda a los usuarios actualizar a la versión 2.7.8, que soluciona este problema. • http://www.openwall.com/lists/oss-security/2024/03/01/5 https://lists.apache.org/thread/6hn0thq743vz9gh283s2d87wz8tqh37c • CWE-20: Improper Input Validation •
CVSS: -EPSS: 0%CPEs: 1EXPL: 0CVE-2023-50380 – Apache Ambari: authenticated users could perform XXE to read arbitrary files on the server
https://notcve.org/view.php?id=CVE-2023-50380
XML External Entity injection in apache ambari versions <= 2.7.7, Users are recommended to upgrade to version 2.7.8, which fixes this issue. More Details: Oozie Workflow Scheduler had a vulnerability that allowed for root-level file reading and privilege escalation from low-privilege users. The vulnerability was caused through lack of proper user input validation. This vulnerability is known as an XML External Entity (XXE) injection attack. Attackers can exploit XXE vulnerabilities to read arbitrary files on the server, including sensitive system files. In theory, it might be possible to use this to escalate privileges. Inyección de entidad externa XML en versiones de Apache Ambari <= 2.7.7. • http://www.openwall.com/lists/oss-security/2024/02/27/6 https://lists.apache.org/thread/qrt7mq7v7zyrh1qsh1gkg1m7clysvy32 • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-50379 – Apache Ambari: authenticated users could perform command injection to perform RCE
https://notcve.org/view.php?id=CVE-2023-50379
Malicious code injection in Apache Ambari in prior to 2.7.8. Users are recommended to upgrade to version 2.7.8, which fixes this issue. Impact: A Cluster Operator can manipulate the request by adding a malicious code injection and gain a root over the cluster main host. Inyección de código malicioso en Apache Ambari en versiones anteriores a 2.7.8. Se recomienda a los usuarios actualizar a la versión 2.7.8, que soluciona este problema. Impacto: un operador de clúster puede manipular la solicitud agregando una inyección de código malicioso y obteniendo una raíz sobre el host principal del clúster. • http://www.openwall.com/lists/oss-security/2024/02/27/1 https://lists.apache.org/thread/jglww6h6ngxpo1r6r5fx7ff7z29lnvv8 • CWE-94: Improper Control of Generation of Code ('Code Injection') •