oss-security - Re: CVE-2022-42009: Apache Ambari: A malicious authenticated user can remotely execute arbitrary code in the context of the application.

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]

Message-ID: <CAOJKFBBeRpoYjwUsJNH=c5aAQ+H=rmGPiTUQ+qB7rZ0J1Qt+rQ@mail.gmail.com>
Date: Mon, 10 Jul 2023 10:08:22 -0500
From: Brandon Perry <bperry.volatile@...il.com>
To: oss-security@...ts.openwall.com
Subject: Re: CVE-2022-42009: Apache Ambari: A malicious
 authenticated user can remotely execute arbitrary code in the context of the application.

Do you have an example proof of concept or a bug link for this?

On Mon, Jul 10, 2023 at 10:06 AM Brahma Reddy Battula <brahma@...che.org>
wrote:

> Affected versions:
>
> - Apache Ambari 2.7.0 through 2.7.6
>
> Description:
>
> SpringEL injection in the server agent in Apache Ambari version 2.7.0 to
> 2.7.6 allows a malicious authenticated user to execute arbitrary code
> remotely. Users are recommended to upgrade to 2.7.7.
>
> Credit:
>
> Jecki Go (jecgo@...a.com) (finder)
>
> References:
>
> https://ambari.apache.org/
> https://www.cve.org/CVERecord?id=CVE-2022-42009
>
>

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.