Unrated severityNVD Advisory· Published Jan 21, 2025· Updated Jan 22, 2025
Apache Ambari: XML External Entity (XXE) Vulnerability in Ambari/Oozie
CVE-2025-23195
Description
An XML External Entity (XXE) vulnerability exists in the Ambari/Oozie project, allowing an attacker to inject malicious XML entities. This vulnerability occurs due to insecure parsing of XML input using the DocumentBuilderFactory class without disabling external entity resolution. An attacker can exploit this vulnerability to read arbitrary files on the server or perform server-side request forgery (SSRF) attacks. The issue has been fixed in both Ambari 2.7.9 and the trunk branch.
Affected products
2- Apache Software Foundation/Apache Ambariv5Range: 0
Patches
Vulnerability mechanics
References
1- lists.apache.org/thread/hsb6mvxd7g37dq1ygtd0pd88gs9tfcwqmitrevendor-advisory
News mentions
0No linked articles in our index yet.