Search criteria
4 vulnerabilities found for Apache Knox by Apache Software Foundation
CVE-2021-42357 (GCVE-0-2021-42357)
Vulnerability from cvelistv5 – Published: 2022-01-17 19:25 – Updated: 2024-08-04 03:30
VLAI?
Title
DOM based XSS Vulnerability in Apache Knox
Summary
When using Apache Knox SSO prior to 1.6.1, a request could be crafted to redirect a user to a malicious page due to improper URL parsing. A request that included a specially crafted request parameter could be used to redirect the user to a page controlled by an attacker. This URL would need to be presented to the user outside the normal request flow through a XSS or phishing campaign.
Severity ?
No CVSS data available.
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Knox |
Affected:
Apache Knox 1.x , < 1.6.1
(custom)
Affected: 0.12.0 , < Apache Knox 0.x* (custom) |
Credits
Apache Knox would like to thank Kajetan Rostojek for this report
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T03:30:38.347Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread/b7v5dkpyqb51nw0lvz4cybhgrfhk1g7j"
},
{
"name": "[oss-security] 20220117 CVE-2021-42357: DOM based XSS Vulnerability in Apache Knox",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2022/01/17/2"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Knox",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "1.6.1",
"status": "affected",
"version": "Apache Knox 1.x",
"versionType": "custom"
},
{
"lessThan": "Apache Knox 0.x*",
"status": "affected",
"version": "0.12.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Apache Knox would like to thank Kajetan Rostojek for this report"
}
],
"descriptions": [
{
"lang": "en",
"value": "When using Apache Knox SSO prior to 1.6.1, a request could be crafted to redirect a user to a malicious page due to improper URL parsing. A request that included a specially crafted request parameter could be used to redirect the user to a page controlled by an attacker. This URL would need to be presented to the user outside the normal request flow through a XSS or phishing campaign."
}
],
"metrics": [
{
"other": {
"content": {
"other": "moderate"
},
"type": "unknown"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-01-17T21:06:09",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread/b7v5dkpyqb51nw0lvz4cybhgrfhk1g7j"
},
{
"name": "[oss-security] 20220117 CVE-2021-42357: DOM based XSS Vulnerability in Apache Knox",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2022/01/17/2"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "DOM based XSS Vulnerability in Apache Knox",
"workarounds": [
{
"lang": "en",
"value": "1.x users should upgrade to 1.6.1.\nUnsupported versions of the 0.x line that include this issue are: 0.13.0, 0.14.0.\nand these should upgrade to 1.6.1 as well.\n1.0.0 and 1.1.0 are also Unsupported but affected and should upgrade to 1.6.1.\n"
}
],
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2021-42357",
"STATE": "PUBLIC",
"TITLE": "DOM based XSS Vulnerability in Apache Knox"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Knox",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "Apache Knox 1.x",
"version_value": "1.6.1"
},
{
"version_affected": "\u003e",
"version_name": "Apache Knox 0.x",
"version_value": "0.12.0"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Apache Knox would like to thank Kajetan Rostojek for this report"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "When using Apache Knox SSO prior to 1.6.1, a request could be crafted to redirect a user to a malicious page due to improper URL parsing. A request that included a specially crafted request parameter could be used to redirect the user to a page controlled by an attacker. This URL would need to be presented to the user outside the normal request flow through a XSS or phishing campaign."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": [
{
"other": "moderate"
}
],
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://lists.apache.org/thread/b7v5dkpyqb51nw0lvz4cybhgrfhk1g7j",
"refsource": "MISC",
"url": "https://lists.apache.org/thread/b7v5dkpyqb51nw0lvz4cybhgrfhk1g7j"
},
{
"name": "[oss-security] 20220117 CVE-2021-42357: DOM based XSS Vulnerability in Apache Knox",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2022/01/17/2"
}
]
},
"source": {
"discovery": "UNKNOWN"
},
"work_around": [
{
"lang": "en",
"value": "1.x users should upgrade to 1.6.1.\nUnsupported versions of the 0.x line that include this issue are: 0.13.0, 0.14.0.\nand these should upgrade to 1.6.1 as well.\n1.0.0 and 1.1.0 are also Unsupported but affected and should upgrade to 1.6.1.\n"
}
]
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2021-42357",
"datePublished": "2022-01-17T19:25:09",
"dateReserved": "2021-10-14T00:00:00",
"dateUpdated": "2024-08-04T03:30:38.347Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-5646 (GCVE-0-2017-5646)
Vulnerability from cvelistv5 – Published: 2017-05-26 21:00 – Updated: 2024-08-05 15:11
VLAI?
Summary
For versions of Apache Knox from 0.2.0 to 0.11.0 - an authenticated user may use a specially crafted URL to impersonate another user while accessing WebHDFS through Apache Knox. This may result in escalated privileges and unauthorized data access. While this activity is audit logged and can be easily associated with the authenticated user, this is still a serious security issue. All users are recommended to upgrade to the Apache Knox 0.12.0 release.
Severity ?
No CVSS data available.
CWE
- Escalated Privileges and Data Access
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Knox |
Affected:
0.2.0 to 0.11.0
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T15:11:47.380Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[knox-user] 20170526 [ANNOUNCE] CVE-2017-5646: Apache Knox Impersonation Issue for WebHDFS",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://mail-archives.apache.org/mod_mbox/knox-user/201705.mbox/%3CCACRbFyjtT7QQGHUzTRdbJoySbJb7tt4BDk5-r-VRn0GB0Kgvag%40mail.gmail.com%3E"
},
{
"name": "98739",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/98739"
},
{
"name": "[logging-dev] 20201107 Re: Chainsaw update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rcd6bcbcc08840d4e4bea661efe9a5ef8f6126ebbbc5bc266701d8f48%40%3Cdev.logging.apache.org%3E"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Knox",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "0.2.0 to 0.11.0"
}
]
}
],
"datePublic": "2017-05-26T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "For versions of Apache Knox from 0.2.0 to 0.11.0 - an authenticated user may use a specially crafted URL to impersonate another user while accessing WebHDFS through Apache Knox. This may result in escalated privileges and unauthorized data access. While this activity is audit logged and can be easily associated with the authenticated user, this is still a serious security issue. All users are recommended to upgrade to the Apache Knox 0.12.0 release."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Escalated Privileges and Data Access",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-11-08T01:06:18",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"name": "[knox-user] 20170526 [ANNOUNCE] CVE-2017-5646: Apache Knox Impersonation Issue for WebHDFS",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://mail-archives.apache.org/mod_mbox/knox-user/201705.mbox/%3CCACRbFyjtT7QQGHUzTRdbJoySbJb7tt4BDk5-r-VRn0GB0Kgvag%40mail.gmail.com%3E"
},
{
"name": "98739",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/98739"
},
{
"name": "[logging-dev] 20201107 Re: Chainsaw update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rcd6bcbcc08840d4e4bea661efe9a5ef8f6126ebbbc5bc266701d8f48%40%3Cdev.logging.apache.org%3E"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2017-5646",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Knox",
"version": {
"version_data": [
{
"version_value": "0.2.0 to 0.11.0"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "For versions of Apache Knox from 0.2.0 to 0.11.0 - an authenticated user may use a specially crafted URL to impersonate another user while accessing WebHDFS through Apache Knox. This may result in escalated privileges and unauthorized data access. While this activity is audit logged and can be easily associated with the authenticated user, this is still a serious security issue. All users are recommended to upgrade to the Apache Knox 0.12.0 release."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Escalated Privileges and Data Access"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[knox-user] 20170526 [ANNOUNCE] CVE-2017-5646: Apache Knox Impersonation Issue for WebHDFS",
"refsource": "MLIST",
"url": "http://mail-archives.apache.org/mod_mbox/knox-user/201705.mbox/%3CCACRbFyjtT7QQGHUzTRdbJoySbJb7tt4BDk5-r-VRn0GB0Kgvag%40mail.gmail.com%3E"
},
{
"name": "98739",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/98739"
},
{
"name": "[logging-dev] 20201107 Re: Chainsaw update",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rcd6bcbcc08840d4e4bea661efe9a5ef8f6126ebbbc5bc266701d8f48@%3Cdev.logging.apache.org%3E"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2017-5646",
"datePublished": "2017-05-26T21:00:00",
"dateReserved": "2017-01-29T00:00:00",
"dateUpdated": "2024-08-05T15:11:47.380Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-42357 (GCVE-0-2021-42357)
Vulnerability from nvd – Published: 2022-01-17 19:25 – Updated: 2024-08-04 03:30
VLAI?
Title
DOM based XSS Vulnerability in Apache Knox
Summary
When using Apache Knox SSO prior to 1.6.1, a request could be crafted to redirect a user to a malicious page due to improper URL parsing. A request that included a specially crafted request parameter could be used to redirect the user to a page controlled by an attacker. This URL would need to be presented to the user outside the normal request flow through a XSS or phishing campaign.
Severity ?
No CVSS data available.
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Knox |
Affected:
Apache Knox 1.x , < 1.6.1
(custom)
Affected: 0.12.0 , < Apache Knox 0.x* (custom) |
Credits
Apache Knox would like to thank Kajetan Rostojek for this report
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T03:30:38.347Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread/b7v5dkpyqb51nw0lvz4cybhgrfhk1g7j"
},
{
"name": "[oss-security] 20220117 CVE-2021-42357: DOM based XSS Vulnerability in Apache Knox",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2022/01/17/2"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Knox",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "1.6.1",
"status": "affected",
"version": "Apache Knox 1.x",
"versionType": "custom"
},
{
"lessThan": "Apache Knox 0.x*",
"status": "affected",
"version": "0.12.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Apache Knox would like to thank Kajetan Rostojek for this report"
}
],
"descriptions": [
{
"lang": "en",
"value": "When using Apache Knox SSO prior to 1.6.1, a request could be crafted to redirect a user to a malicious page due to improper URL parsing. A request that included a specially crafted request parameter could be used to redirect the user to a page controlled by an attacker. This URL would need to be presented to the user outside the normal request flow through a XSS or phishing campaign."
}
],
"metrics": [
{
"other": {
"content": {
"other": "moderate"
},
"type": "unknown"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-01-17T21:06:09",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread/b7v5dkpyqb51nw0lvz4cybhgrfhk1g7j"
},
{
"name": "[oss-security] 20220117 CVE-2021-42357: DOM based XSS Vulnerability in Apache Knox",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2022/01/17/2"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "DOM based XSS Vulnerability in Apache Knox",
"workarounds": [
{
"lang": "en",
"value": "1.x users should upgrade to 1.6.1.\nUnsupported versions of the 0.x line that include this issue are: 0.13.0, 0.14.0.\nand these should upgrade to 1.6.1 as well.\n1.0.0 and 1.1.0 are also Unsupported but affected and should upgrade to 1.6.1.\n"
}
],
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2021-42357",
"STATE": "PUBLIC",
"TITLE": "DOM based XSS Vulnerability in Apache Knox"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Knox",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "Apache Knox 1.x",
"version_value": "1.6.1"
},
{
"version_affected": "\u003e",
"version_name": "Apache Knox 0.x",
"version_value": "0.12.0"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Apache Knox would like to thank Kajetan Rostojek for this report"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "When using Apache Knox SSO prior to 1.6.1, a request could be crafted to redirect a user to a malicious page due to improper URL parsing. A request that included a specially crafted request parameter could be used to redirect the user to a page controlled by an attacker. This URL would need to be presented to the user outside the normal request flow through a XSS or phishing campaign."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": [
{
"other": "moderate"
}
],
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://lists.apache.org/thread/b7v5dkpyqb51nw0lvz4cybhgrfhk1g7j",
"refsource": "MISC",
"url": "https://lists.apache.org/thread/b7v5dkpyqb51nw0lvz4cybhgrfhk1g7j"
},
{
"name": "[oss-security] 20220117 CVE-2021-42357: DOM based XSS Vulnerability in Apache Knox",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2022/01/17/2"
}
]
},
"source": {
"discovery": "UNKNOWN"
},
"work_around": [
{
"lang": "en",
"value": "1.x users should upgrade to 1.6.1.\nUnsupported versions of the 0.x line that include this issue are: 0.13.0, 0.14.0.\nand these should upgrade to 1.6.1 as well.\n1.0.0 and 1.1.0 are also Unsupported but affected and should upgrade to 1.6.1.\n"
}
]
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2021-42357",
"datePublished": "2022-01-17T19:25:09",
"dateReserved": "2021-10-14T00:00:00",
"dateUpdated": "2024-08-04T03:30:38.347Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-5646 (GCVE-0-2017-5646)
Vulnerability from nvd – Published: 2017-05-26 21:00 – Updated: 2024-08-05 15:11
VLAI?
Summary
For versions of Apache Knox from 0.2.0 to 0.11.0 - an authenticated user may use a specially crafted URL to impersonate another user while accessing WebHDFS through Apache Knox. This may result in escalated privileges and unauthorized data access. While this activity is audit logged and can be easily associated with the authenticated user, this is still a serious security issue. All users are recommended to upgrade to the Apache Knox 0.12.0 release.
Severity ?
No CVSS data available.
CWE
- Escalated Privileges and Data Access
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Knox |
Affected:
0.2.0 to 0.11.0
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T15:11:47.380Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[knox-user] 20170526 [ANNOUNCE] CVE-2017-5646: Apache Knox Impersonation Issue for WebHDFS",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://mail-archives.apache.org/mod_mbox/knox-user/201705.mbox/%3CCACRbFyjtT7QQGHUzTRdbJoySbJb7tt4BDk5-r-VRn0GB0Kgvag%40mail.gmail.com%3E"
},
{
"name": "98739",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/98739"
},
{
"name": "[logging-dev] 20201107 Re: Chainsaw update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rcd6bcbcc08840d4e4bea661efe9a5ef8f6126ebbbc5bc266701d8f48%40%3Cdev.logging.apache.org%3E"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Knox",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "0.2.0 to 0.11.0"
}
]
}
],
"datePublic": "2017-05-26T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "For versions of Apache Knox from 0.2.0 to 0.11.0 - an authenticated user may use a specially crafted URL to impersonate another user while accessing WebHDFS through Apache Knox. This may result in escalated privileges and unauthorized data access. While this activity is audit logged and can be easily associated with the authenticated user, this is still a serious security issue. All users are recommended to upgrade to the Apache Knox 0.12.0 release."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Escalated Privileges and Data Access",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-11-08T01:06:18",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"name": "[knox-user] 20170526 [ANNOUNCE] CVE-2017-5646: Apache Knox Impersonation Issue for WebHDFS",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://mail-archives.apache.org/mod_mbox/knox-user/201705.mbox/%3CCACRbFyjtT7QQGHUzTRdbJoySbJb7tt4BDk5-r-VRn0GB0Kgvag%40mail.gmail.com%3E"
},
{
"name": "98739",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/98739"
},
{
"name": "[logging-dev] 20201107 Re: Chainsaw update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rcd6bcbcc08840d4e4bea661efe9a5ef8f6126ebbbc5bc266701d8f48%40%3Cdev.logging.apache.org%3E"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2017-5646",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Knox",
"version": {
"version_data": [
{
"version_value": "0.2.0 to 0.11.0"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "For versions of Apache Knox from 0.2.0 to 0.11.0 - an authenticated user may use a specially crafted URL to impersonate another user while accessing WebHDFS through Apache Knox. This may result in escalated privileges and unauthorized data access. While this activity is audit logged and can be easily associated with the authenticated user, this is still a serious security issue. All users are recommended to upgrade to the Apache Knox 0.12.0 release."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Escalated Privileges and Data Access"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[knox-user] 20170526 [ANNOUNCE] CVE-2017-5646: Apache Knox Impersonation Issue for WebHDFS",
"refsource": "MLIST",
"url": "http://mail-archives.apache.org/mod_mbox/knox-user/201705.mbox/%3CCACRbFyjtT7QQGHUzTRdbJoySbJb7tt4BDk5-r-VRn0GB0Kgvag%40mail.gmail.com%3E"
},
{
"name": "98739",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/98739"
},
{
"name": "[logging-dev] 20201107 Re: Chainsaw update",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rcd6bcbcc08840d4e4bea661efe9a5ef8f6126ebbbc5bc266701d8f48@%3Cdev.logging.apache.org%3E"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2017-5646",
"datePublished": "2017-05-26T21:00:00",
"dateReserved": "2017-01-29T00:00:00",
"dateUpdated": "2024-08-05T15:11:47.380Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}