CVE-2018-11799

Vulnerability allows a user of Apache Oozie 3.1.3-incubating to 5.0.0 to impersonate other users. The malicious user can construct an XML that results workflows running in other user's name.

CVSS v3 6.5 MEDIUM
CVSS v2.0 4.0 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

Vector : AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

4.0^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:S/C:N/I:P/A:N

Exploitability : 8.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
http://www.securityfocus.com/bid/106266	Third Party Advisory VDB Entry
https://lists.apache.org/thread.html/347e7a8cb86014b7ca37e49eb00b8d088203bdc0bcfb4799f8e5955a%40%3Cuser.oozie.apache.org%3E

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:apache:oozie::::::::
	cpe:2.3:a:apache:oozie:3.1.3:incubating::::::

History

No history.

Information

Published : 2018-12-19 20:29

Updated : 2024-02-04 20:03

NVD link : CVE-2018-11799

Mitre link : CVE-2018-11799

CVE.ORG link : CVE-2018-11799

JSON object : View

Products Affected

apache

oozie

CWE

CWE-20

Improper Input Validation

{"id": "CVE-2018-11799", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N", "authentication": "SINGLE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 2.8}]}, "published": "2018-12-19T20:29:00.230", "references": [{"url": "http://www.securityfocus.com/bid/106266", "tags": ["Third Party Advisory", "VDB Entry"], "source": "security@apache.org"}, {"url": "https://lists.apache.org/thread.html/347e7a8cb86014b7ca37e49eb00b8d088203bdc0bcfb4799f8e5955a%40%3Cuser.oozie.apache.org%3E", "source": "security@apache.org"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-20"}]}], "descriptions": [{"lang": "en", "value": "Vulnerability allows a user of Apache Oozie 3.1.3-incubating to 5.0.0 to impersonate other users. The malicious user can construct an XML that results workflows running in other user's name."}, {"lang": "es", "value": "Una vulnerabilidad permite que un usuario de Apache Oozie, desde la versi\u00f3n 3.1.3-incubating hasta la 5.0.0, suplante a otros usuarios. El usuario malicioso puede construir un XML que resulta en que los workflows se ejecutan en nombre de otro usuario."}], "lastModified": "2023-11-07T02:51:48.193", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:apache:oozie:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "287B5C86-AE53-44FE-95FB-09512E00C6AF", "versionEndExcluding": "5.1.0", "versionStartIncluding": "3.1.3"}, {"criteria": "cpe:2.3:a:apache:oozie:3.1.3:incubating:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C2DDDACA-F6D3-4143-8ADD-8FB30E80BC3F"}], "operator": "OR"}]}], "sourceIdentifier": "security@apache.org"}