Cloudera Manager =< 5.5 Enumerating user sessions with an unprivileged account (CVE-2016-4950)

2017-04-24T00:00:00
ID SSV:93017
Type seebug
Reporter Root
Modified 2017-04-24T00:00:00

Description

Cloudera Manager =< 5.5 is vulnerable to an access control issue allowing an unprivileged account to enumerate current active user sessions with the following GET request:

http://&lt;cloudera_manager_IP&gt;:7180/api/v11/users/sessions It is worth mentioning that a user using the API won’t appear in the “currently connected” user list.
The Cloudera CERT indicated that this vulnerability is fixed in version 5.8.

Moreover, Cloudera Manager =< 5.5 is vulnerable to an access control issue allowing an unprivileged user to enumerate registered users and their role with the following GET request: http://&lt;cloudera_manager_IP&gt;:7180/api/v1/users