CVE-2025-23195

Jan. 22, 2025, 3:15 p.m.

7.5
High

Description

An XML External Entity (XXE) vulnerability exists in the Ambari/Oozie project, allowing an attacker to inject malicious XML entities. This vulnerability occurs due to insecure parsing of XML input using the `DocumentBuilderFactory` class without disabling external entity resolution. An attacker can exploit this vulnerability to read arbitrary files on the server or perform server-side request forgery (SSRF) attacks. The issue has been fixed in both Ambari 2.7.9 and the trunk branch.

Product(s) Impacted

Product Versions
Ambari
  • ['2.7.9', 'trunk']
Oozie
  • []

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-611
Improper Restriction of XML External Entity Reference
The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

References

https://lists.apache.org/thread/hsb6mvxd7g37dq1ygtd0pd88gs9tfcwq
http://www.openwall.com/lists/oss-security/2025/01/21/7

Tags

CWE-611
security@apache.org
2025-01-21
CVE-2025-23195

CVSS Score

7.5 / 10

CVSS Data - 3.1

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Privileges Required: NONE
  • Scope: UNCHANGED
  • Confidentiality Impact: HIGH
  • Integrity Impact: NONE
  • Availability Impact: NONE

    • CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

    View Vector String

Timeline

Published: Jan. 21, 2025, 10:15 p.m.
Last Modified: Jan. 22, 2025, 3:15 p.m.

Status : Awaiting Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

security@apache.org

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.