Cloudera Manager =< 5.5 Stored and reflected XSS (CVE-2016-4948)

ID SSV:93015
Type seebug
Reporter Root
Modified 2017-04-24T00:00:00


Cloudera Manager =< 5.5 is vulnerable to multiple XSS:

  • Stored:
  • In the Template Name field of the following page http://&lt;cloudera_manager_IP&gt;:7180/cmf/hardware/hosts/templates
  • In the following fields of the Kerberos activation page, which can then be triggered visiting the page http://&lt;cloudera_manager_IP&gt;:7180/cmf/clusters/1/kerberos/wizard

* KDC Server Host * Kerberos Security Realm * Kerberos Encryption Types * Advanced Configuration Snippet (Safety Valve) for [libdefaults] section of krb5.conf * Advanced Configuration Snippet (Safety Valve) for the Default Realm in krb5.conf * Advanced Configuration Snippet (Safety Valve) for remaining krb5.conf * Active Directory Account Prefix

  • Reflected in the following GET request:

http://&lt;cloudera_manager_IP&gt;:7180/cmf/cloudera-director/redirect ?classicWizard=[XSS] &clusterid=1

The Cloudera CERT indicated that these vulnerabilities are fixed in version 5.8.