THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
...
Mitigation: Ambari users should upgrade to version 2.1.0 or above or obtain the latest source from github or apply this patch [DETAILS TBD]0 or above or obtain the latest source from github. Version 2.1.0 onwards the proxy end point (api/v1/proxy) has been disabled. In addition a configurable parameter (proxy.allowed.hostports) is introduced, in config file ambari.properties, to explicitly specify a list of host/port that can be proxied to when using the utility.
Credit: This issue was discovered by Mateusz Olejarka (SecuRing).
CVE-2015-3186: Apache Ambari XSS vulnerability
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected: Ambari 1.7.0 to 2.0.1
Description: Ambari allows authenticated cluster operator users to specifyarbitrary specify arbitrary text as a note when saving configuration changes.This This note field is rendered as is (unescaped HTML). This exposesopportunities exposes opportunities for XSS.
Mitigation: Ambari users should upgrade to version 2.1.0 or above orobtain or obtain the latest source from github or apply this patch [LINK TO PATCHTBD].
Version 2.1.0 onwards properly HTML-escapes the note field associated withconfiguration with configuration changes.
Credit: Hacker Y on the Elephant Scale team.