Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <37c53343-ceff-134f-17f5-fdee929d4d92@apache.org>
Date: Tue, 21 Jan 2025 20:32:18 +0000
From: Viraj Jasani <vjasani@...che.org>
To: oss-security@...ts.openwall.com
Subject: CVE-2025-23195: Apache Ambari: XML External Entity (XXE)
 Vulnerability in Ambari/Oozie 

Severity: moderate

Affected versions:

- Apache Ambari before 2.7.9

Description:

An XML External Entity (XXE) vulnerability exists in the Ambari/Oozie 
project, allowing an attacker to inject malicious XML entities. This 
vulnerability occurs due to insecure parsing of XML input using the 
`DocumentBuilderFactory` class without disabling external entity 
resolution. An attacker can exploit this vulnerability to read arbitrary
 files on the server or perform server-side request forgery (SSRF) 
attacks. The issue has been fixed in both Ambari 2.7.9 and the trunk 
branch.

References:

https://ambari.apache.org/
https://www.cve.org/CVERecord?id=CVE-2025-23195

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.