Apache Ambari
26 CVEs affecting Apache Ambari. Latest disclosed: 2025-01-21. Critical: 3, High: 9.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2017-5642 | Critical | 9.8 | 2017-04-03 | During installation of Ambari 2.4.0 through 2.4.2, Ambari Server artifacts are not created with proper ACLs. |
CVE-2014-3582 | Critical | 9.8 | 2017-03-29 | In Ambari 1.2.0 through 2.2.2, it may be possible to execute arbitrary system commands on the Ambari Server host while generating SSL certificates for hosts in… |
CVE-2016-6807 | Critical | 9.8 | 2017-03-28 | Custom commands may be executed on Ambari Agent (2.4.x, before 2.4.2) hosts without authorization, leading to unauthorized access to operations that may affect… |
CVE-2025-23196 | High | 8.8 | 2025-01-21 | A code injection vulnerability exists in the Ambari Alert Definition feature, allowing authenticated users to inject and execute arbitrary shell commands. Th… |
CVE-2024-51941 | High | 8.8 | 2025-01-21 | A remote code injection vulnerability exists in the Ambari Metrics and AMS Alerts feature, allowing authenticated users to inject and execute arbitrary code… |
CVE-2023-50379 | High | 8.8 | 2024-02-27 | Malicious code injection in Apache Ambari in prior to 2.7.8. Users are recommended to upgrade to version 2.7.8, which fixes this issue. Impact: A Cluster Oper… |
CVE-2018-8042 | High | 8.1 | 2018-07-18 | Apache Ambari, version 2.5.0 to 2.6.2, passwords for Hadoop credential stores are exposed in Ambari Agent informational log messages when the credential store… |
CVE-2022-45855 | High | 8.0 | 2023-07-12 | SpringEL injection in the metrics source in Apache Ambari version 2.7.0 to 2.7.6 allows a malicious authenticated user to execute arbitrary code remotely. User… |
CVE-2022-42009 | High | 8.0 | 2023-07-12 | SpringEL injection in the server agent in Apache Ambari version 2.7.0 to 2.7.6 allows a malicious authenticated user to execute arbitrary code remotely. Users… |
CVE-2025-23195 | High | 7.5 | 2025-01-21 | An XML External Entity (XXE) vulnerability exists in the Ambari/Oozie project, allowing an attacker to inject malicious XML entities. This vulnerability occu… |
CVE-2020-13924 | High | 7.5 | 2021-03-17 | In Apache Ambari versions 2.6.2.2 and earlier, malicious users can construct file names for directory traversal and traverse to other directories to download f… |
CVE-2017-5654 | High | 7.5 | 2017-05-12 | In Ambari 2.4.x (before 2.4.3) and Ambari 2.5.0, an authorized user of the Ambari Hive View may be able to gain unauthorized read access to files on the host w… |
CVE-2023-50380 | Medium | 6.5 | 2024-02-27 | XML External Entity injection in apache ambari versions <= 2.7.7, Users are recommended to upgrade to version 2.7.8, which fixes this issue. More Details: Oo… |
CVE-2017-5655 | Medium | 6.5 | 2017-05-15 | In Ambari 2.2.2 through 2.4.2 and Ambari 2.5.0, sensitive data may be stored on disk in temporary files on the Ambari Server host. The temporary files are read… |
CVE-2023-50378 | Medium | 6.1 | 2024-03-01 | Lack of proper input validation and constraint enforcement in Apache Ambari prior to 2.7.8 Impact : As it will be stored XSS, Could be exploited to perform… |
CVE-2020-1936 | Medium | 6.1 | 2021-03-02 | A cross-site scripting issue was found in Apache Ambari Views. This was addressed in Apache Ambari 2.7.4. |
CVE-2016-4976 | Medium | 5.5 | 2017-03-29 | Apache Ambari 2.x before 2.4.0 includes KDC administrator passwords on the kadmin command line, which allows local users to obtain sensitive information via a… |
CVE-2018-8003 | Medium | 5.3 | 2018-05-03 | Apache Ambari, versions 1.4.0 to 2.6.1, is susceptible to a directory traversal attack allowing an unauthenticated user to craft an HTTP request which provides… |
CVE-2016-0731 | Medium | 4.9 | 2016-05-18 | The File Browser View in Apache Ambari before 2.2.1 allows remote authenticated administrators to read arbitrary files via a file: URL in the WebHDFS URL confi… |
CVE-2016-0707 | Low | 3.3 | 2016-05-18 | The agent in Apache Ambari before 2.1.2 uses weak permissions for the (1) /var/lib/ambari-agent/data and (2) /var/lib/ambari-agent/keys directories, which allo… |