oss-security - Re: CVE-2022-42009: Apache Ambari: A malicious authenticated user can remotely execute arbitrary code in the context of the application.

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [<thread-prev] [day] [month] [year] [list]

Date: Tue, 11 Jul 2023 17:36:03 +0200
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Cc: Brandon Perry <bperry.volatile@...il.com>,
	Brahma Reddy Battula <brahma@...che.org>, Jecki Go <jecgo@...a.com>
Subject: Re: CVE-2022-42009: Apache Ambari: A malicious authenticated user can remotely execute arbitrary code in the context of the application.

On Mon, Jul 10, 2023 at 10:08:22AM -0500, Brandon Perry wrote:
> Do you have an example proof of concept or a bug link for this?

Added CC's.
Brahma or Jecki, can you address Brandon's question above, please?

Alexander

> On Mon, Jul 10, 2023 at 10:06???AM Brahma Reddy Battula <brahma@...che.org> wrote:
> > Affected versions:
> >
> > - Apache Ambari 2.7.0 through 2.7.6
> >
> > Description:
> >
> > SpringEL injection in the server agent in Apache Ambari version 2.7.0 to
> > 2.7.6 allows a malicious authenticated user to execute arbitrary code
> > remotely. Users are recommended to upgrade to 2.7.7.
> >
> > Credit:
> >
> > Jecki Go (jecgo@...a.com) (finder)
> >
> > References:
> >
> > https://ambari.apache.org/
> > https://www.cve.org/CVERecord?id=CVE-2022-42009

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.