Home > Vulnerability Database > CVE-2025-23195

Mend.io Vulnerability Database

CVE-2025-23195

Date: January 21, 2025

An XML External Entity (XXE) vulnerability exists in the Ambari/Oozie project, allowing an attacker to inject malicious XML entities. This vulnerability occurs due to insecure parsing of XML input using the "DocumentBuilderFactory" class without disabling external entity resolution. An attacker can exploit this vulnerability to read arbitrary files on the server or perform server-side request forgery (SSRF) attacks. The issue has been fixed in both Ambari 2.7.9 and the trunk branch.

Severity Score

7.5

Related Resources (4)

Url: http://www.openwall.com/lists/oss-security/2025/01/21/7

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-23195

Url: https://lists.apache.org/thread/hsb6mvxd7g37dq1ygtd0pd88gs9tfcwq

Url: https://www.mend.io/vulnerability-database/CVE-2025-23195

Severity Score

7.5

Weakness Type (CWE)

Improper Restriction of XML External Entity Reference

CWE-611

CVSS v3.1

Base Score:	7.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	NONE
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2025-23195

Date: January 21, 2025

Severity Score

Related Resources (4)

Severity Score

Weakness Type (CWE)

CVSS v3.1

Do you need more information?