Home > Vulnerability Database > CVE-2023-50380

Mend.io Vulnerability Database

CVE-2023-50380

Good to know:

Date: February 27, 2024

XML External Entity injection in apache ambari versions <= 2.7.7, Users are recommended to upgrade to version 2.7.8, which fixes this issue. More Details: Oozie Workflow Scheduler had a vulnerability that allowed for root-level file reading and privilege escalation from low-privilege users. The vulnerability was caused through lack of proper user input validation. This vulnerability is known as an XML External Entity (XXE) injection attack. Attackers can exploit XXE vulnerabilities to read arbitrary files on the server, including sensitive system files. In theory, it might be possible to use this to escalate privileges.

Language: Java

Severity Score

7.6

Related Resources (4)

Url: https://nvd.nist.gov/vuln/detail/CVE-2023-50380

Url: https://lists.apache.org/thread/qrt7mq7v7zyrh1qsh1gkg1m7clysvy32

Url: http://www.openwall.com/lists/oss-security/2024/02/27/6

Url: https://www.mend.io/vulnerability-database/CVE-2023-50380

Severity Score

7.6

Weakness Type (CWE)

Improper Restriction of XML External Entity Reference ('XXE')

CWE-611

Top Fix

Upgrade Version

Upgrade to version release-2.7.8

Learn More

CVSS v3.1

Base Score:	7.6
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	LOW
Availability (A):	LOW

Mend.io Vulnerability Database

We found results for “”

CVE-2023-50380

Good to know:

Date: February 27, 2024

Language: Java

Severity Score

Related Resources (4)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?