CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-51941 – Apache Ambari: Remote Code Injection in Ambari Metrics and AMS Alerts
https://notcve.org/view.php?id=CVE-2024-51941
21 Jan 2025 — A remote code injection vulnerability exists in the Ambari Metrics and AMS Alerts feature, allowing authenticated users to inject and execute arbitrary code. The vulnerability occurs when processing alert definitions, where malicious input can be injected into the alert script execution path. An attacker with authenticated access can exploit this vulnerability to execute arbitrary commands on the server. The issue has been fixed in the latest versions of Ambari. • https://lists.apache.org/thread/xq50nlff7o7z1kq3y637clzzl6mjhl8j • CWE-75: Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-23195 – Apache Ambari: XML External Entity (XXE) Vulnerability in Ambari/Oozie
https://notcve.org/view.php?id=CVE-2025-23195
21 Jan 2025 — An XML External Entity (XXE) vulnerability exists in the Ambari/Oozie project, allowing an attacker to inject malicious XML entities. This vulnerability occurs due to insecure parsing of XML input using the `DocumentBuilderFactory` class without disabling external entity resolution. An attacker can exploit this vulnerability to read arbitrary files on the server or perform server-side request forgery (SSRF) attacks. The issue has been fixed in both Ambari 2.7.9 and the trunk branch. • https://lists.apache.org/thread/hsb6mvxd7g37dq1ygtd0pd88gs9tfcwq • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2023-50378 – Apache Ambari: Various XSS problems
https://notcve.org/view.php?id=CVE-2023-50378
01 Mar 2024 — Lack of proper input validation and constraint enforcement in Apache Ambari prior to 2.7.8 Impact : As it will be stored XSS, Could be exploited to perform unauthorized actions, varying from data access to session hijacking and delivering malicious payloads. Users are recommended to upgrade to version 2.7.8 which fixes this issue. Falta de validación de entrada adecuada y aplicación de restricciones en Apache Ambari antes de 2.7.8 Impacto: como se almacenará XSS, podría explotarse para realizar acciones no ... • http://www.openwall.com/lists/oss-security/2024/03/01/5 • CWE-20: Improper Input Validation CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-50380 – Apache Ambari: authenticated users could perform XXE to read arbitrary files on the server
https://notcve.org/view.php?id=CVE-2023-50380
27 Feb 2024 — XML External Entity injection in apache ambari versions <= 2.7.7, Users are recommended to upgrade to version 2.7.8, which fixes this issue. More Details: Oozie Workflow Scheduler had a vulnerability that allowed for root-level file reading and privilege escalation from low-privilege users. The vulnerability was caused through lack of proper user input validation. This vulnerability is known as an XML External Entity (XXE) injection attack. Attackers can exploit XXE vulnerabilities to read arbitrary files o... • http://www.openwall.com/lists/oss-security/2024/02/27/6 • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 9.7EPSS: 0%CPEs: 1EXPL: 0CVE-2023-50379 – Apache Ambari: authenticated users could perform command injection to perform RCE
https://notcve.org/view.php?id=CVE-2023-50379
27 Feb 2024 — Malicious code injection in Apache Ambari in prior to 2.7.8. Users are recommended to upgrade to version 2.7.8, which fixes this issue. Impact: A Cluster Operator can manipulate the request by adding a malicious code injection and gain a root over the cluster main host. Inyección de código malicioso en Apache Ambari en versiones anteriores a 2.7.8. Se recomienda a los usuarios actualizar a la versión 2.7.8, que soluciona este problema. • http://www.openwall.com/lists/oss-security/2024/02/27/1 • CWE-94: Improper Control of Generation of Code ('Code Injection') •