oss-sec mailing list archives

[CVE-2018-11799] Apache Oozie security vulnerability

From: Gézapeti Cseh <gezapeti () apache org>
Date: Wed, 19 Dec 2018 19:46:03 +0100

CVE-2018-11799: Apache Oozie security vulnerability

Severity:  8.7 (High) (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N)

Vendor: The Apache Software Foundation

Versions Affected: Oozie versions earlier than 5.1.0

Description: A malicious user can construct an XML that results workflows
running in other user's name.

Mitigation: Upgrade to Apache Oozie 5.1.0

Credit: This issue was discovered by

*Satish Subhashrao Saley at Oath / Yahoo!*

Gezapeti Cseh

Current thread:

[CVE-2018-11799] Apache Oozie security vulnerability Gézapeti Cseh (Dec 19)