CVE-2023-50379

2024-02-2709:15:36

CWE-94

apache

web.nvd.nist.gov

3945

cve-2023-50379

malicious code injection

apache ambari

security vulnerability

upgrade

cluster operator

root access

nvd

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

7.3

Confidence

Low

EPSS

Percentile

9.0%

JSON

Malicious code injection in Apache Ambari in prior to 2.7.8. Users are recommended to upgrade to version 2.7.8, which fixes this issue.

Impact:
A Cluster Operator can manipulate the request by adding a malicious code injection and gain a root over the cluster main host.

Affected configurations

Vulners

Vulnrichment

Node

apacheambariRange≤2.7.7

VendorProductVersionCPE
apacheambari*cpe:2.3:a:apache:ambari:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
apache	ambari	*	cpe:2.3:a:apache:ambari::::::::

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "Apache Ambari",
    "vendor": "Apache Software Foundation",
    "versions": [
      {
        "lessThanOrEqual": "2.7.7",
        "status": "affected",
        "version": "2.7.0",
        "versionType": "semver"
      }
    ]
  }
]