Medium severity6.8NVD Advisory· Published May 26, 2017· Updated May 13, 2026

CVE-2017-5646

Description

For versions of Apache Knox from 0.2.0 to 0.11.0 - an authenticated user may use a specially crafted URL to impersonate another user while accessing WebHDFS through Apache Knox. This may result in escalated privileges and unauthorized data access. While this activity is audit logged and can be easily associated with the authenticated user, this is still a serious security issue. All users are recommended to upgrade to the Apache Knox 0.12.0 release.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.apache.knox:gateway-provider-identity-assertion-commonMaven	>= 0.2.0, < 0.12.0	0.12.0

Affected products

Apache/Knox10 versions
cpe:2.3:a:apache:knox:0.10.0:*:*:*:*:*:*:*+ 9 more
- cpe:2.3:a:apache:knox:0.10.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:knox:0.11.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:knox:0.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:knox:0.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:knox:0.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:knox:0.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:knox:0.6.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:knox:0.7.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:knox:0.8.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:knox:0.9.0:*:*:*:*:*:*:*
Apache Software Foundation/Apache Knoxv5
Range: 0.2.0 to 0.11.0

Patches

998dcd257dc8

KNOX-906 - Log WARN of Removed Impersonation Params

https://github.com/apache/knoxLarry McCayMar 13, 2017via ghsa

commit

3 files changed · +56 −3

gateway-provider-identity-assertion-common/src/main/java/org/apache/hadoop/gateway/identityasserter/common/filter/IdentityAsserterHttpServletRequestWrapper.java

+33 −3 modified

@@ -36,10 +36,12 @@
 import java.nio.charset.Charset;
 import java.security.Principal;
 import java.util.ArrayList;
+import java.util.List;
 import java.util.Collection;
 import java.util.Collections;
 import java.util.Enumeration;
 import java.util.HashMap;
+import java.util.HashSet;
 import java.util.Map;
 
 public class IdentityAsserterHttpServletRequestWrapper extends HttpServletRequestWrapper {
@@ -121,7 +123,7 @@ private Map<String, String[]> getParams( String qString ) {
   private Map<String, String[]> getParams() {
     return getParams( super.getQueryString() );
   }
-  
+
   @Override
   public String getQueryString() {
     String q = null;
@@ -135,13 +137,15 @@ public String getQueryString() {
     al.add(username);
     String[] a = { "" };
 
+    List<String> principalParamNames = getImpersonationParamNames();
+    params = scrubOfExistingPrincipalParams(params, principalParamNames);
+
     if ("true".equals(System.getProperty(GatewayConfig.HADOOP_KERBEROS_SECURED))) {
       params.put(DOAS_PRINCIPAL_PARAM, al.toArray(a));
-      params.remove(PRINCIPAL_PARAM);
     } else {
       params.put(PRINCIPAL_PARAM, al.toArray(a));
     }
-    
+
     String encoding = getCharacterEncoding();
     if (encoding == null) {
       encoding = Charset.defaultCharset().name();
@@ -150,6 +154,32 @@ public String getQueryString() {
     return q;
   }
 
+  private List<String> getImpersonationParamNames() {
+    // TODO: let's have service definitions register their impersonation
+    // params in a future release and get this list from a central registry.
+    // This will provide better coverage of protection by removing any
+    // prepopulated impersonation params.
+    ArrayList<String> principalParamNames = new ArrayList<String>();
+    principalParamNames.add(DOAS_PRINCIPAL_PARAM);
+    principalParamNames.add(PRINCIPAL_PARAM);
+    return principalParamNames;
+  }
+
+  private Map<String, String[]> scrubOfExistingPrincipalParams(
+      Map<String, String[]> params, List<String> principalParamNames) {
+    HashSet<String> remove = new HashSet<String>();
+    for (String paramKey : params.keySet()) {
+      for (String p : principalParamNames) {
+        if (p.equalsIgnoreCase(paramKey)) {
+          remove.add(paramKey);
+          log.possibleIdentitySpoofingAttempt(paramKey);
+        }
+      }
+    }
+    params.keySet().removeAll(remove);
+    return params;
+  }
+
   @Override
   public int getContentLength() {
     int len;

gateway-provider-identity-assertion-common/src/test/java/org/apache/hadoop/gateway/identityasserter/filter/IdentityAssertionHttpServletRequestWrapperTest.java

+20 −0 modified

@@ -18,12 +18,14 @@
 package org.apache.hadoop.gateway.identityasserter.filter;
 
 import org.apache.commons.io.IOUtils;
+import org.apache.hadoop.gateway.config.GatewayConfig;
 import org.apache.hadoop.gateway.identityasserter.common.filter.IdentityAsserterHttpServletRequestWrapper;
 import org.apache.hadoop.test.category.FastTests;
 import org.apache.hadoop.test.category.UnitTests;
 import org.apache.hadoop.test.mock.MockHttpServletRequest;
 import org.apache.hadoop.test.mock.MockServletInputStream;
 import org.junit.Test;
+import org.junit.After;
 import org.junit.experimental.categories.Category;
 
 import java.io.ByteArrayInputStream;
@@ -38,6 +40,11 @@
 @Category( { UnitTests.class, FastTests.class } )
 public class IdentityAssertionHttpServletRequestWrapperTest {
 
+  @After
+  public void resetSystemProps() {
+    System.setProperty(GatewayConfig.HADOOP_KERBEROS_SECURED, "false");
+  }
+
   @Test
   public void testInsertUserNameInPostMethod() throws IOException {
     String inputBody = "jar=%2Ftmp%2FGatewayWebHdfsFuncTest%2FtestJavaMapReduceViaWebHCat%2Fhadoop-examples.jar&class=org.apache.org.apache.hadoop.examples.WordCount&arg=%2Ftmp%2FGatewayWebHdfsFuncTest%2FtestJavaMapReduceViaTempleton%2Finput&arg=%2Ftmp%2FGatewayWebHdfsFuncTest%2FtestJavaMapReduceViaTempleton%2Foutput";
@@ -143,6 +150,19 @@ public void testInsertUserNameInQueryString() {
     assertThat( output, containsString( "user.name=output-user" ) );
   }
 
+  @Test
+  public void testInsertDoAsInQueryString() {
+    System.setProperty(GatewayConfig.HADOOP_KERBEROS_SECURED, "true");
+    MockHttpServletRequest request = new MockHttpServletRequest();
+    request.setQueryString("op=LISTSTATUS&user.name=jack&User.Name=jill&DOas=admin&doas=root");
+
+    IdentityAsserterHttpServletRequestWrapper wrapper
+        = new IdentityAsserterHttpServletRequestWrapper( request, "output-user" );
+
+    String output = wrapper.getQueryString();
+    assertThat(output, is("op=LISTSTATUS&doAs=output-user"));
+  }
+
   @Test
   public void testInsertUserNameInNullQueryString() {
     String input = null;

gateway-spi/src/main/java/org/apache/hadoop/gateway/SpiGatewayMessages.java+3 −0 modified

@@ -67,4 +67,7 @@ public interface SpiGatewayMessages {
 
   @Message( level = MessageLevel.DEBUG, text = "Inbound response entity content type: {0}" )
   void inboundResponseEntityContentType( String fullContentType );
+
+  @Message( level = MessageLevel.WARN, text = "Possible identity spoofing attempt - impersonation parameter removed: {0}" )
+  void possibleIdentitySpoofingAttempt( String impersonationParam );
 }

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

mail-archives.apache.org/mod_mbox/knox-user/201705.mbox/%3CCACRbFyjtT7QQGHUzTRdbJoySbJb7tt4BDk5-r-VRn0GB0Kgvag%40mail.gmail.com%3EnvdMailing ListVendor AdvisoryWEB
www.securityfocus.com/bid/98739nvdThird Party AdvisoryVDB Entry
github.com/advisories/GHSA-g3fc-8jv4-qmmvghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2017-5646ghsaADVISORY
github.com/apache/knox/commit/998dcd257dc839c9651485760da4d614c16e2ca2ghsaWEB
lists.apache.org/thread.html/rcd6bcbcc08840d4e4bea661efe9a5ef8f6126ebbbc5bc266701d8f48@%3Cdev.logging.apache.org%3EghsaWEB
lists.apache.org/thread.html/rcd6bcbcc08840d4e4bea661efe9a5ef8f6126ebbbc5bc266701d8f48%40%3Cdev.logging.apache.org%3Envd

News mentions

No linked articles in our index yet.

cvss	0.442
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000