Primary

Context

Apache Ambari and Oozie XML External Entity (XXE) Vulnerability

Vulnerability

Patched

A XML External Entity (XXE) vulnerability has been identified in Apache Ambari versions prior to 2.7.9, specifically within the Oozie project. This vulnerability allows attackers to inject malicious XML entities, exploiting insecure XML parsing that uses the DocumentBuilderFactory class without disabling external entity resolution. As a result, attackers could read arbitrary files on the server or conduct server-side request forgery (SSRF) attacks.

Impact

Exploitation of this vulnerability could lead to unauthorized file access on the server or facilitate server-side request forgery (SSRF) attacks.

Remediation

Users can upgrade to Apache Ambari 2.7.9 or the latest trunk version to address this vulnerability.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

4.5

impact

3.1

exploitability

7.0

remediation

7.7

relevance

0.0

threat

0.0

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

4.5

impact

3.1

exploitability

7.0

remediation

7.7

relevance

0.0

threat

0.0

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Apache Ambari and Oozie XML External Entity (XXE) Vulnerability

Vulnerability

Impact

Remediation

Affected Products

Apache Ambari

Apache Oozie

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating