Lucene search

GitHub Advisory DatabaseGHSA-WG5W-VV93-3F7W

HistoryDec 20, 2018 - 10:01 p.m.

Moderate severity vulnerability that affects org.apache.oozie:oozie-core

2018-12-2022:01:18

CWE-20

GitHub Advisory Database

github.com

4 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:S/C:N/I:P/A:N

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

0.001 Low

EPSS

Percentile

26.3%

JSON

Vulnerability allows a user of Apache Oozie 3.1.3-incubating to 5.0.0 to impersonate other users. The malicious user can construct an XML that results workflows running in other user’s name.

Affected configurations

Vulners

Node

org.apache.oozie\oozieMatchcore

CPENameOperatorVersion
org.apache.oozie:oozie-corele5.0.0

CPE	Name	Operator	Version
	org.apache.oozie:oozie-core	le	5.0.0

References

www.securityfocus.com/bid/106266

github.com/advisories/GHSA-wg5w-vv93-3f7w

lists.apache.org/thread.html/347e7a8cb86014b7ca37e49eb00b8d088203bdc0bcfb4799f8e5955a@%3Cuser.oozie.apache.org%3E

nvd.nist.gov/vuln/detail/CVE-2018-11799

4 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:S/C:N/I:P/A:N

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

0.001 Low

EPSS

Percentile

26.3%

JSON

Related for GHSA-WG5W-VV93-3F7W