Stored XSS in Apache Ambari
Description
A cross-site scripting issue was found in Apache Ambari Views. This was addressed in Apache Ambari 2.7.4.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.ambari:ambariMaven | < 2.7.4 | 2.7.4 |
Affected products
2- Apache Software Foundation/Apache Ambariv5Range: Apache Ambari
Patches
Vulnerability mechanics
Root cause
"Missing output encoding of breadcrumb labels before rendering in the DOM allows stored cross-site scripting."
Attack vector
An attacker with access to create or modify Ambari resources (e.g., services, hosts, alerts) can inject malicious JavaScript into a breadcrumb label. When a victim navigates to a page whose breadcrumb trail includes the crafted label, the unescaped label is rendered in the browser, executing the attacker's script. This is a stored cross-site scripting attack [CWE-79].
Affected code
The vulnerability resides in `ambari-web/app/views/common/breadcrumbs_view.js`. The `createLabel()` method in `App.BreadcrumbItem` and the breadcrumb-building logic in `App.BreadcrumbsView` did not escape user-controllable label values before inserting them into the DOM, allowing stored XSS.
What the fix does
The patch adds `Ember.Handlebars.Utils.escapeExpression()` calls in two places. In `createLabel()`, the label retrieved via `labelBindingPath` is now escaped before being stored. In the breadcrumb-building loop, `items.slice(1).forEach(...)` escapes each item's label before the `BreadcrumbItem` is created. This ensures that any HTML or JavaScript injected into a breadcrumb label is rendered as safe text rather than executed.
Preconditions
- inputAttacker must be able to set or influence a breadcrumb label value (e.g., by creating or renaming an Ambari resource).
- authVictim must navigate to an Ambari page whose breadcrumb trail includes the attacker-controlled label.
Generated on Jun 20, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/advisories/GHSA-q7q9-w24q-cpghghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-1936ghsaADVISORY
- www.openwall.com/lists/oss-security/2021/03/02/1ghsamailing-listx_refsource_MLISTWEB
- github.com/apache/ambari/pull/3040ghsaWEB
- github.com/apache/ambari/pull/3040/commits/a9cfdb9dcce63a3494c07c81ebb2cf8da218a210ghsaWEB
- issues.apache.org/jira/browse/AMBARI-25329ghsaWEB
- lists.apache.org/thread.html/946a9d72e664ad8bc592168d9a2fed88100c6e9f1bdfea08e91a3184%40%3Cuser.ambari.apache.org%3Eghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.