...
Credit: New York Life Insurance Company
...
CVE-2017-5655: Possible exposure of sensitive data in files created in Ambari temp directory when downloading configurations
...
Credit: New York Life Insurance Company
...
CVE-2017-5655: Possible exposure of sensitive data in files created in Ambari temp directory when downloading configurations
...
Credit: This issue was discovered by Mateusz Olejarka (SecuRing).
CVE-2015-3186: Apache Ambari XSS vulnerability
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected: 1.7.0 to 2.0.2
Versions Fixed: 2.1.0
Description: Ambari allows authenticated cluster operator users to specify arbitrary text as a note when saving configuration changes. This note field is rendered as is (unescaped HTML). This exposes opportunities for XSS.
Mitigation: Ambari users should upgrade to version 2.1.0 or above.
Version 2.1.0 onwards properly HTML-escapes the note field associated with configuration changes.
Credit: Hacker Y on the Elephant Scale team.