Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 13 Oct 2015 01:42:52 +0000
From: Yusaku Sako <yusaku@...tonworks.com>
To: Robert Levas <rlevas@...tonworks.com>, "user@...ari.apache.org"
	<user@...ari.apache.org>, "dev@...ari.apache.org" <dev@...ari.apache.org>,
	"security@...che.org" <security@...che.org>,
	"oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>,
	"bugtraq@...urityfocus.com" <bugtraq@...urityfocus.com>
Subject: [CVE-2015-3270] A non-administrative user can escalate themselves
 to have administrative privileges remotely

CVE-2015-3270: A non-administrative user can escalate themselves to have administrative privileges remotely

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected: 1.7.0, 2.0.0, 2.0.1, 2.1.0

Versions Fixed: 2.0.2, 2.1.1

Description: An authenticated user can remotely escalate his/her permissions to administrative level. This can escalate their privileges for access through the API as well from the UI.

Mitigation: Ambari users should upgrade to version 2.1.1 or above (2.0.0 and 2.0.1 can be upgraded to 2.0.2).

In fixed versions of Ambari (2.0.2; 2.1.1 and onward), access to the user resource endpoint is protected such that only a user with administrator privileges can esculate a user's privileges. A user, however, may still access the endpoint but may only change their own password.

Credit: This issue was discovered by security analysts at Blue Cross Blue Shield Association

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ