CVE-2023-50379

Malicious code injection in Apache Ambari in prior to 2.7.8.Users are recommended to upgrade to version 2.7.8, which fixes this issue.

Impact:
A Cluster Operator can manipulate the request by adding a malicious code injection and gain a root over the cluster main host.
Code Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
8.8 HIGH
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
apacheCNA
---
---
CVEADP
---
---
CISA-ADPADP
8.8 HIGH
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 58%
VendorProductVersion
apacheambari
2.7.7 ≤
𝑥
≤ 2.7.7
apacheambari
𝑥
< 2.7.8
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
http://www.openwall.com/lists/oss-security/2024/02/27/1
https://lists.apache.org/thread/jglww6h6ngxpo1r6r5fx7ff7z29lnvv8
http://www.openwall.com/lists/oss-security/2024/02/27/1
https://lists.apache.org/thread/jglww6h6ngxpo1r6r5fx7ff7z29lnvv8