oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE-2025-23195: Apache Ambari: XML External Entity (XXE) Vulnerability in Ambari/Oozie

From: Viraj Jasani <vjasani () apache org>
Date: Tue, 21 Jan 2025 20:32:18 +0000
Severity: moderate

Affected versions:

- Apache Ambari before 2.7.9

Description:

An XML External Entity (XXE) vulnerability exists in the Ambari/Oozie 
project, allowing an attacker to inject malicious XML entities. This 
vulnerability occurs due to insecure parsing of XML input using the 
`DocumentBuilderFactory` class without disabling external entity 
resolution. An attacker can exploit this vulnerability to read arbitrary
 files on the server or perform server-side request forgery (SSRF) 
attacks. The issue has been fixed in both Ambari 2.7.9 and the trunk 
branch.

References:

https://ambari.apache.org/
https://www.cve.org/CVERecord?id=CVE-2025-23195
Previous By Date Next
Previous By Thread Next

Current thread: