...
Credit: New York Life Insurance Company
CVE-2017-5655: Possible exposure of sensitive data in files created in Ambari temp directory when downloading configurations
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected: 2.2.2 through 2.4.2; and 2.5.0
Versions Fixed: 2.4.3, 2.5.1
Description: During installation, Ambari Server artifacts are not created with proper ACLs
Mitigation: Ambari 2.4.x (before 2.4.3) users should upgrade to version 2.4.3; Ambari 2.5.0 users should upgrade to Ambari 2.5.1 or above.
Ambari 2.4.3 and Ambari 2.5.1 correct this issue by forcing the related temporary files to be accessible only to the user executing the Ambari server process. The related temporary files should be removed when no longer needed, as well.
Credit: Pradeep Bhadani
Fixed in Ambari 2.5.0
...
CVE-2017-5642: Ambari Server artifacts do not have proper ACLs
...
Credit: New York Life Insurance Company
CVE-2017-5655: Possible exposure of sensitive data in files created in Ambari temp directory when downloading configurations
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected: 2.2.2 through 2.4.2; and 2.5.0
Versions Fixed: 2.4.3, 2.5.1
Description: During installation, Ambari Server artifacts are not created with proper ACLs
Mitigation: Ambari 2.4.x (before 2.4.3) users should upgrade to version 2.4.3; Ambari 2.5.0 users should upgrade to Ambari 2.5.1 or above.
Ambari 2.4.3 and Ambari 2.5.1 correct this issue by forcing the related temporary files to be accessible only to the user executing the Ambari server process. The related temporary files should be removed when no longer needed, as well.
Credit: Pradeep Bhadani
Fixed in Ambari 2.4.2
...
CVE-2016-6807: Custom commands may be executed without authorization
...