[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 13 Oct 2015 01:42:52 +0000
From: Yusaku Sako <yusaku@...tonworks.com>
To: Robert Levas <rlevas@...tonworks.com>, "user@...ari.apache.org"
<user@...ari.apache.org>, "dev@...ari.apache.org" <dev@...ari.apache.org>,
"security@...che.org" <security@...che.org>,
"oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>,
"bugtraq@...urityfocus.com" <bugtraq@...urityfocus.com>
Subject: [CVE-2015-3270] A non-administrative user can escalate themselves
to have administrative privileges remotely
CVE-2015-3270: A non-administrative user can escalate themselves to have administrative privileges remotely
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected: 1.7.0, 2.0.0, 2.0.1, 2.1.0
Versions Fixed: 2.0.2, 2.1.1
Description: An authenticated user can remotely escalate his/her permissions to administrative level. This can escalate their privileges for access through the API as well from the UI.
Mitigation: Ambari users should upgrade to version 2.1.1 or above (2.0.0 and 2.0.1 can be upgraded to 2.0.2).
In fixed versions of Ambari (2.0.2; 2.1.1 and onward), access to the user resource endpoint is protected such that only a user with administrator privileges can esculate a user's privileges. A user, however, may still access the endpoint but may only change their own password.
Credit: This issue was discovered by security analysts at Blue Cross Blue Shield Association
Powered by blists - more mailing lists
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
