Date: Tue, 13 Oct 2015 01:42:52 +0000 From: Yusaku Sako <yusaku@...tonworks.com> To: Robert Levas <rlevas@...tonworks.com>, "user@...ari.apache.org" <user@...ari.apache.org>, "dev@...ari.apache.org" <dev@...ari.apache.org>, "security@...che.org" <security@...che.org>, "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>, "bugtraq@...urityfocus.com" <bugtraq@...urityfocus.com> Subject: [CVE-2015-3270] A non-administrative user can escalate themselves to have administrative privileges remotely CVE-2015-3270: A non-administrative user can escalate themselves to have administrative privileges remotely Severity: Important Vendor: The Apache Software Foundation Versions Affected: 1.7.0, 2.0.0, 2.0.1, 2.1.0 Versions Fixed: 2.0.2, 2.1.1 Description: An authenticated user can remotely escalate his/her permissions to administrative level. This can escalate their privileges for access through the API as well from the UI. Mitigation: Ambari users should upgrade to version 2.1.1 or above (2.0.0 and 2.0.1 can be upgraded to 2.0.2). In fixed versions of Ambari (2.0.2; 2.1.1 and onward), access to the user resource endpoint is protected such that only a user with administrator privileges can esculate a user's privileges. A user, however, may still access the endpoint but may only change their own password. Credit: This issue was discovered by security analysts at Blue Cross Blue Shield Association
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.