Lucene search

ApacheCVE-2017-15712

HistoryFeb 19, 2018 - 2:29 p.m.

CVE-2017-15712

2018-02-1914:29:00

CWE-22

apache

web.nvd.nist.gov

cve-2017-15712

apache oozie

vulnerability

information security

server exposed files

CVSS2

6.8

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

COMPLETE

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:S/C:C/I:N/A:N

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

AI Score

6.3

Confidence

High

EPSS

0.001

Percentile

17.2%

JSON

Vulnerability allows a user of Apache Oozie 3.1.3-incubating to 4.3.0 and 5.0.0-beta1 to expose private files on the Oozie server process. The malicious user can construct a workflow XML file containing XML directives and configuration that reference sensitive files on the Oozie server host.

Affected configurations

Nvd

Vulners

Node

apacheoozieMatch3.1.2

apacheoozieMatch3.1.3

apacheoozieMatch3.2

apacheoozieMatch3.2.0

apacheoozieMatch3.2.0incubating

apacheoozieMatch3.3.0

apacheoozieMatch3.3.0rc0

apacheoozieMatch3.3.0rc1

apacheoozieMatch3.3.1

apacheoozieMatch3.3.1rc0

apacheoozieMatch3.3.1rc1

apacheoozieMatch3.3.2

apacheoozieMatch3.3.2rc0

apacheoozieMatch4.0.0

apacheoozieMatch4.0.0rc0

apacheoozieMatch4.0.0rc1

apacheoozieMatch4.0.0rc3

apacheoozieMatch4.0.1

apacheoozieMatch4.0.1rc0

apacheoozieMatch4.0.1rc1

apacheoozieMatch4.1.0

apacheoozieMatch4.1.0rc0

apacheoozieMatch4.1.0rc1

apacheoozieMatch4.2.0

apacheoozieMatch4.2.0rc0

apacheoozieMatch4.3.0

apacheoozieMatch4.3.0rc0

apacheoozieMatch4.3.0rc1

apacheoozieMatch5.0.0beta1

VendorProductVersionCPE
apacheoozie3.1.2cpe:2.3:a:apache:oozie:3.1.2:*:*:*:*:*:*:*
apacheoozie3.1.3cpe:2.3:a:apache:oozie:3.1.3:*:*:*:*:*:*:*
apacheoozie3.2cpe:2.3:a:apache:oozie:3.2:*:*:*:*:*:*:*
apacheoozie3.2.0cpe:2.3:a:apache:oozie:3.2.0:*:*:*:*:*:*:*
apacheoozie3.2.0cpe:2.3:a:apache:oozie:3.2.0:incubating:*:*:*:*:*:*
apacheoozie3.3.0cpe:2.3:a:apache:oozie:3.3.0:*:*:*:*:*:*:*
apacheoozie3.3.0cpe:2.3:a:apache:oozie:3.3.0:rc0:*:*:*:*:*:*
apacheoozie3.3.0cpe:2.3:a:apache:oozie:3.3.0:rc1:*:*:*:*:*:*
apacheoozie3.3.1cpe:2.3:a:apache:oozie:3.3.1:*:*:*:*:*:*:*
apacheoozie3.3.1cpe:2.3:a:apache:oozie:3.3.1:rc0:*:*:*:*:*:*

Vendor	Product	Version	CPE
apache	oozie	3.1.2	cpe:2.3:a:apache:oozie:3.1.2:::::::*
apache	oozie	3.1.3	cpe:2.3:a:apache:oozie:3.1.3:::::::*
apache	oozie	3.2	cpe:2.3:a:apache:oozie:3.2:::::::*
apache	oozie	3.2.0	cpe:2.3:a:apache:oozie:3.2.0:::::::*
apache	oozie	3.2.0	cpe:2.3:a:apache:oozie:3.2.0:incubating::::::
apache	oozie	3.3.0	cpe:2.3:a:apache:oozie:3.3.0:::::::*
apache	oozie	3.3.0	cpe:2.3:a:apache:oozie:3.3.0:rc0::::::
apache	oozie	3.3.0	cpe:2.3:a:apache:oozie:3.3.0:rc1::::::
apache	oozie	3.3.1	cpe:2.3:a:apache:oozie:3.3.1:::::::*
apache	oozie	3.3.1	cpe:2.3:a:apache:oozie:3.3.1:rc0::::::

Rows per page:

1-10 of 291

CNA Affected

[
  {
    "product": "Apache Oozie",
    "vendor": "Apache Software Foundation",
    "versions": [
      {
        "status": "affected",
        "version": "3.1.3-incubating to 4.3.0"
      },
      {
        "status": "affected",
        "version": "5.0.0-beta1"
      }
    ]
  }
]

References

www.securityfocus.com/bid/103102

lists.apache.org/thread.html/4606709264fe7cb0285e2a12aca2d01a06b14cd58791c9fc32abd216%40%3Cdev.oozie.apache.org%3E

CVSS2

6.8

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

COMPLETE

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:S/C:C/I:N/A:N

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

AI Score

6.3

Confidence

High

EPSS

0.001

Percentile

17.2%

JSON

Related for CVE-2017-15712