CVE-2025-23195

Опубликовано: 21 янв. 2025

Источник: nvd

CVSS3: 7.5

EPSS Низкий

Описание

An XML External Entity (XXE) vulnerability exists in the Ambari/Oozie project, allowing an attacker to inject malicious XML entities. This vulnerability occurs due to insecure parsing of XML input using the DocumentBuilderFactory class without disabling external entity resolution. An attacker can exploit this vulnerability to read arbitrary files on the server or perform server-side request forgery (SSRF) attacks. The issue has been fixed in both Ambari 2.7.9 and the trunk branch.

Ссылки

https://lists.apache.org/thread/hsb6mvxd7g37dq1ygtd0pd88gs9tfcwq
Vendor Advisory
http://www.openwall.com/lists/oss-security/2025/01/21/7
Mailing List
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:apache:ambari:*:*:*:*:*:*:*:*

Версия до 2.7.9 (исключая)

EPSS

Процентиль: 34%

0.00137

Низкий

7.5 High

CVSS3

Дефекты

CWE-611

Связанные уязвимости

GHSA-jjxh-vpf5-jm42

CVSS3: 7.5

github

около 1 года назад

An XML External Entity (XXE) vulnerability exists in the Ambari/Oozie project, allowing an attacker to inject malicious XML entities. This vulnerability occurs due to insecure parsing of XML input using the `DocumentBuilderFactory` class without disabling external entity resolution. An attacker can exploit this vulnerability to read arbitrary files on the server or perform server-side request forgery (SSRF) attacks. The issue has been fixed in both Ambari 2.7.9 and the trunk branch.

EPSS

Процентиль: 34%

0.00137

Низкий

7.5 High

CVSS3

Дефекты

CWE-611