Search criteria
6 vulnerabilities found for knox by apache
FKIE_CVE-2021-42357
Vulnerability from fkie_nvd - Published: 2022-01-17 20:15 - Updated: 2024-11-21 06:27
Severity ?
Summary
When using Apache Knox SSO prior to 1.6.1, a request could be crafted to redirect a user to a malicious page due to improper URL parsing. A request that included a specially crafted request parameter could be used to redirect the user to a page controlled by an attacker. This URL would need to be presented to the user outside the normal request flow through a XSS or phishing campaign.
References
| URL | Tags | ||
|---|---|---|---|
| security@apache.org | http://www.openwall.com/lists/oss-security/2022/01/17/2 | Mailing List, Third Party Advisory | |
| security@apache.org | https://lists.apache.org/thread/b7v5dkpyqb51nw0lvz4cybhgrfhk1g7j | Mailing List, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2022/01/17/2 | Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.apache.org/thread/b7v5dkpyqb51nw0lvz4cybhgrfhk1g7j | Mailing List, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:knox:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D1DE53D2-9049-4622-BB80-9640BB120575",
"versionEndExcluding": "1.6.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "When using Apache Knox SSO prior to 1.6.1, a request could be crafted to redirect a user to a malicious page due to improper URL parsing. A request that included a specially crafted request parameter could be used to redirect the user to a page controlled by an attacker. This URL would need to be presented to the user outside the normal request flow through a XSS or phishing campaign."
},
{
"lang": "es",
"value": "Cuando era usado Apache Knox SSO versiones anteriores a 1.6.1, una petici\u00f3n pod\u00eda ser dise\u00f1ada para redirigir a un usuario a una p\u00e1gina maliciosa debido a un an\u00e1lisis incorrecto de la URL. Una petici\u00f3n que incluyera un par\u00e1metro de petici\u00f3n especialmente dise\u00f1ado podr\u00eda ser usada para redirigir al usuario a una p\u00e1gina controlada por un atacante. Esta URL tendr\u00eda que ser presentada al usuario fuera del flujo normal de peticiones mediante una campa\u00f1a de tipo XSS o phishing"
}
],
"id": "CVE-2021-42357",
"lastModified": "2024-11-21T06:27:39.103",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-01-17T20:15:07.697",
"references": [
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2022/01/17/2"
},
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/b7v5dkpyqb51nw0lvz4cybhgrfhk1g7j"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2022/01/17/2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/b7v5dkpyqb51nw0lvz4cybhgrfhk1g7j"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security@apache.org",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2017-5646
Vulnerability from fkie_nvd - Published: 2017-05-26 21:29 - Updated: 2025-04-20 01:37
Severity ?
Summary
For versions of Apache Knox from 0.2.0 to 0.11.0 - an authenticated user may use a specially crafted URL to impersonate another user while accessing WebHDFS through Apache Knox. This may result in escalated privileges and unauthorized data access. While this activity is audit logged and can be easily associated with the authenticated user, this is still a serious security issue. All users are recommended to upgrade to the Apache Knox 0.12.0 release.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:knox:0.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "CFB08A82-F503-42F1-82DD-1C9DD9D1B329",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:knox:0.3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "B4A0A928-87F2-48C1-9E28-0DD081C3B659",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:knox:0.4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "AE8495A7-CC0D-4C55-851E-9D36BAAAE96F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:knox:0.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E962CBAB-A1FD-47D0-8C06-8DC9C5EC2685",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:knox:0.6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "20FF2592-88E3-4244-99E9-DDE78BAEE708",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:knox:0.7.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E8366021-F490-4168-95A9-9A850C4D4E0A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:knox:0.8.0:*:*:*:*:*:*:*",
"matchCriteriaId": "BEECD700-6EA2-4F3C-81F1-080DE8E344CF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:knox:0.9.0:*:*:*:*:*:*:*",
"matchCriteriaId": "2488F651-8097-4B35-B154-51BFE2B739E4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:knox:0.10.0:*:*:*:*:*:*:*",
"matchCriteriaId": "3667D057-A631-4FAA-8850-A6741BD5DF44",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:knox:0.11.0:*:*:*:*:*:*:*",
"matchCriteriaId": "38E2E1E1-3BA3-4AC1-A57B-46B8D52DC097",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "For versions of Apache Knox from 0.2.0 to 0.11.0 - an authenticated user may use a specially crafted URL to impersonate another user while accessing WebHDFS through Apache Knox. This may result in escalated privileges and unauthorized data access. While this activity is audit logged and can be easily associated with the authenticated user, this is still a serious security issue. All users are recommended to upgrade to the Apache Knox 0.12.0 release."
},
{
"lang": "es",
"value": "Para versiones de Apache Knox desde 0.2.0 hasta 0.11.0, un usuario autenticado puede usar una URL especialmente dise\u00f1ada para suplantar a otro usuario mientras accede a WebHDFS por medio de Apache Knox. Esto puede resultar en privilegios escalados y acceso a datos no autorizados. Mientras esta actividad est\u00e1 registrada como auditor\u00eda y puede ser asociada f\u00e1cilmente con el usuario autenticado, esto sigue siendo un problema de seguridad serio. Se recomienda a todos los usuarios actualizar a la versi\u00f3n Apache Knox versi\u00f3n 0.12.0."
}
],
"id": "CVE-2017-5646",
"lastModified": "2025-04-20T01:37:25.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.9,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.6,
"impactScore": 5.2,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-05-26T21:29:00.433",
"references": [
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "http://mail-archives.apache.org/mod_mbox/knox-user/201705.mbox/%3CCACRbFyjtT7QQGHUzTRdbJoySbJb7tt4BDk5-r-VRn0GB0Kgvag%40mail.gmail.com%3E"
},
{
"source": "security@apache.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/98739"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/rcd6bcbcc08840d4e4bea661efe9a5ef8f6126ebbbc5bc266701d8f48%40%3Cdev.logging.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "http://mail-archives.apache.org/mod_mbox/knox-user/201705.mbox/%3CCACRbFyjtT7QQGHUzTRdbJoySbJb7tt4BDk5-r-VRn0GB0Kgvag%40mail.gmail.com%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/98739"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/rcd6bcbcc08840d4e4bea661efe9a5ef8f6126ebbbc5bc266701d8f48%40%3Cdev.logging.apache.org%3E"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-346"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
CVE-2021-42357 (GCVE-0-2021-42357)
Vulnerability from cvelistv5 – Published: 2022-01-17 19:25 – Updated: 2024-08-04 03:30
VLAI?
Title
DOM based XSS Vulnerability in Apache Knox
Summary
When using Apache Knox SSO prior to 1.6.1, a request could be crafted to redirect a user to a malicious page due to improper URL parsing. A request that included a specially crafted request parameter could be used to redirect the user to a page controlled by an attacker. This URL would need to be presented to the user outside the normal request flow through a XSS or phishing campaign.
Severity ?
No CVSS data available.
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Knox |
Affected:
Apache Knox 1.x , < 1.6.1
(custom)
Affected: 0.12.0 , < Apache Knox 0.x* (custom) |
Credits
Apache Knox would like to thank Kajetan Rostojek for this report
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T03:30:38.347Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread/b7v5dkpyqb51nw0lvz4cybhgrfhk1g7j"
},
{
"name": "[oss-security] 20220117 CVE-2021-42357: DOM based XSS Vulnerability in Apache Knox",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2022/01/17/2"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Knox",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "1.6.1",
"status": "affected",
"version": "Apache Knox 1.x",
"versionType": "custom"
},
{
"lessThan": "Apache Knox 0.x*",
"status": "affected",
"version": "0.12.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Apache Knox would like to thank Kajetan Rostojek for this report"
}
],
"descriptions": [
{
"lang": "en",
"value": "When using Apache Knox SSO prior to 1.6.1, a request could be crafted to redirect a user to a malicious page due to improper URL parsing. A request that included a specially crafted request parameter could be used to redirect the user to a page controlled by an attacker. This URL would need to be presented to the user outside the normal request flow through a XSS or phishing campaign."
}
],
"metrics": [
{
"other": {
"content": {
"other": "moderate"
},
"type": "unknown"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-01-17T21:06:09",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread/b7v5dkpyqb51nw0lvz4cybhgrfhk1g7j"
},
{
"name": "[oss-security] 20220117 CVE-2021-42357: DOM based XSS Vulnerability in Apache Knox",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2022/01/17/2"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "DOM based XSS Vulnerability in Apache Knox",
"workarounds": [
{
"lang": "en",
"value": "1.x users should upgrade to 1.6.1.\nUnsupported versions of the 0.x line that include this issue are: 0.13.0, 0.14.0.\nand these should upgrade to 1.6.1 as well.\n1.0.0 and 1.1.0 are also Unsupported but affected and should upgrade to 1.6.1.\n"
}
],
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2021-42357",
"STATE": "PUBLIC",
"TITLE": "DOM based XSS Vulnerability in Apache Knox"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Knox",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "Apache Knox 1.x",
"version_value": "1.6.1"
},
{
"version_affected": "\u003e",
"version_name": "Apache Knox 0.x",
"version_value": "0.12.0"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Apache Knox would like to thank Kajetan Rostojek for this report"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "When using Apache Knox SSO prior to 1.6.1, a request could be crafted to redirect a user to a malicious page due to improper URL parsing. A request that included a specially crafted request parameter could be used to redirect the user to a page controlled by an attacker. This URL would need to be presented to the user outside the normal request flow through a XSS or phishing campaign."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": [
{
"other": "moderate"
}
],
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://lists.apache.org/thread/b7v5dkpyqb51nw0lvz4cybhgrfhk1g7j",
"refsource": "MISC",
"url": "https://lists.apache.org/thread/b7v5dkpyqb51nw0lvz4cybhgrfhk1g7j"
},
{
"name": "[oss-security] 20220117 CVE-2021-42357: DOM based XSS Vulnerability in Apache Knox",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2022/01/17/2"
}
]
},
"source": {
"discovery": "UNKNOWN"
},
"work_around": [
{
"lang": "en",
"value": "1.x users should upgrade to 1.6.1.\nUnsupported versions of the 0.x line that include this issue are: 0.13.0, 0.14.0.\nand these should upgrade to 1.6.1 as well.\n1.0.0 and 1.1.0 are also Unsupported but affected and should upgrade to 1.6.1.\n"
}
]
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2021-42357",
"datePublished": "2022-01-17T19:25:09",
"dateReserved": "2021-10-14T00:00:00",
"dateUpdated": "2024-08-04T03:30:38.347Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-5646 (GCVE-0-2017-5646)
Vulnerability from cvelistv5 – Published: 2017-05-26 21:00 – Updated: 2024-08-05 15:11
VLAI?
Summary
For versions of Apache Knox from 0.2.0 to 0.11.0 - an authenticated user may use a specially crafted URL to impersonate another user while accessing WebHDFS through Apache Knox. This may result in escalated privileges and unauthorized data access. While this activity is audit logged and can be easily associated with the authenticated user, this is still a serious security issue. All users are recommended to upgrade to the Apache Knox 0.12.0 release.
Severity ?
No CVSS data available.
CWE
- Escalated Privileges and Data Access
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Knox |
Affected:
0.2.0 to 0.11.0
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T15:11:47.380Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[knox-user] 20170526 [ANNOUNCE] CVE-2017-5646: Apache Knox Impersonation Issue for WebHDFS",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://mail-archives.apache.org/mod_mbox/knox-user/201705.mbox/%3CCACRbFyjtT7QQGHUzTRdbJoySbJb7tt4BDk5-r-VRn0GB0Kgvag%40mail.gmail.com%3E"
},
{
"name": "98739",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/98739"
},
{
"name": "[logging-dev] 20201107 Re: Chainsaw update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rcd6bcbcc08840d4e4bea661efe9a5ef8f6126ebbbc5bc266701d8f48%40%3Cdev.logging.apache.org%3E"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Knox",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "0.2.0 to 0.11.0"
}
]
}
],
"datePublic": "2017-05-26T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "For versions of Apache Knox from 0.2.0 to 0.11.0 - an authenticated user may use a specially crafted URL to impersonate another user while accessing WebHDFS through Apache Knox. This may result in escalated privileges and unauthorized data access. While this activity is audit logged and can be easily associated with the authenticated user, this is still a serious security issue. All users are recommended to upgrade to the Apache Knox 0.12.0 release."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Escalated Privileges and Data Access",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-11-08T01:06:18",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"name": "[knox-user] 20170526 [ANNOUNCE] CVE-2017-5646: Apache Knox Impersonation Issue for WebHDFS",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://mail-archives.apache.org/mod_mbox/knox-user/201705.mbox/%3CCACRbFyjtT7QQGHUzTRdbJoySbJb7tt4BDk5-r-VRn0GB0Kgvag%40mail.gmail.com%3E"
},
{
"name": "98739",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/98739"
},
{
"name": "[logging-dev] 20201107 Re: Chainsaw update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rcd6bcbcc08840d4e4bea661efe9a5ef8f6126ebbbc5bc266701d8f48%40%3Cdev.logging.apache.org%3E"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2017-5646",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Knox",
"version": {
"version_data": [
{
"version_value": "0.2.0 to 0.11.0"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "For versions of Apache Knox from 0.2.0 to 0.11.0 - an authenticated user may use a specially crafted URL to impersonate another user while accessing WebHDFS through Apache Knox. This may result in escalated privileges and unauthorized data access. While this activity is audit logged and can be easily associated with the authenticated user, this is still a serious security issue. All users are recommended to upgrade to the Apache Knox 0.12.0 release."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Escalated Privileges and Data Access"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[knox-user] 20170526 [ANNOUNCE] CVE-2017-5646: Apache Knox Impersonation Issue for WebHDFS",
"refsource": "MLIST",
"url": "http://mail-archives.apache.org/mod_mbox/knox-user/201705.mbox/%3CCACRbFyjtT7QQGHUzTRdbJoySbJb7tt4BDk5-r-VRn0GB0Kgvag%40mail.gmail.com%3E"
},
{
"name": "98739",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/98739"
},
{
"name": "[logging-dev] 20201107 Re: Chainsaw update",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rcd6bcbcc08840d4e4bea661efe9a5ef8f6126ebbbc5bc266701d8f48@%3Cdev.logging.apache.org%3E"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2017-5646",
"datePublished": "2017-05-26T21:00:00",
"dateReserved": "2017-01-29T00:00:00",
"dateUpdated": "2024-08-05T15:11:47.380Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-42357 (GCVE-0-2021-42357)
Vulnerability from nvd – Published: 2022-01-17 19:25 – Updated: 2024-08-04 03:30
VLAI?
Title
DOM based XSS Vulnerability in Apache Knox
Summary
When using Apache Knox SSO prior to 1.6.1, a request could be crafted to redirect a user to a malicious page due to improper URL parsing. A request that included a specially crafted request parameter could be used to redirect the user to a page controlled by an attacker. This URL would need to be presented to the user outside the normal request flow through a XSS or phishing campaign.
Severity ?
No CVSS data available.
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Knox |
Affected:
Apache Knox 1.x , < 1.6.1
(custom)
Affected: 0.12.0 , < Apache Knox 0.x* (custom) |
Credits
Apache Knox would like to thank Kajetan Rostojek for this report
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T03:30:38.347Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread/b7v5dkpyqb51nw0lvz4cybhgrfhk1g7j"
},
{
"name": "[oss-security] 20220117 CVE-2021-42357: DOM based XSS Vulnerability in Apache Knox",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2022/01/17/2"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Knox",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "1.6.1",
"status": "affected",
"version": "Apache Knox 1.x",
"versionType": "custom"
},
{
"lessThan": "Apache Knox 0.x*",
"status": "affected",
"version": "0.12.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Apache Knox would like to thank Kajetan Rostojek for this report"
}
],
"descriptions": [
{
"lang": "en",
"value": "When using Apache Knox SSO prior to 1.6.1, a request could be crafted to redirect a user to a malicious page due to improper URL parsing. A request that included a specially crafted request parameter could be used to redirect the user to a page controlled by an attacker. This URL would need to be presented to the user outside the normal request flow through a XSS or phishing campaign."
}
],
"metrics": [
{
"other": {
"content": {
"other": "moderate"
},
"type": "unknown"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-01-17T21:06:09",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread/b7v5dkpyqb51nw0lvz4cybhgrfhk1g7j"
},
{
"name": "[oss-security] 20220117 CVE-2021-42357: DOM based XSS Vulnerability in Apache Knox",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2022/01/17/2"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "DOM based XSS Vulnerability in Apache Knox",
"workarounds": [
{
"lang": "en",
"value": "1.x users should upgrade to 1.6.1.\nUnsupported versions of the 0.x line that include this issue are: 0.13.0, 0.14.0.\nand these should upgrade to 1.6.1 as well.\n1.0.0 and 1.1.0 are also Unsupported but affected and should upgrade to 1.6.1.\n"
}
],
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2021-42357",
"STATE": "PUBLIC",
"TITLE": "DOM based XSS Vulnerability in Apache Knox"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Knox",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "Apache Knox 1.x",
"version_value": "1.6.1"
},
{
"version_affected": "\u003e",
"version_name": "Apache Knox 0.x",
"version_value": "0.12.0"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Apache Knox would like to thank Kajetan Rostojek for this report"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "When using Apache Knox SSO prior to 1.6.1, a request could be crafted to redirect a user to a malicious page due to improper URL parsing. A request that included a specially crafted request parameter could be used to redirect the user to a page controlled by an attacker. This URL would need to be presented to the user outside the normal request flow through a XSS or phishing campaign."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": [
{
"other": "moderate"
}
],
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://lists.apache.org/thread/b7v5dkpyqb51nw0lvz4cybhgrfhk1g7j",
"refsource": "MISC",
"url": "https://lists.apache.org/thread/b7v5dkpyqb51nw0lvz4cybhgrfhk1g7j"
},
{
"name": "[oss-security] 20220117 CVE-2021-42357: DOM based XSS Vulnerability in Apache Knox",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2022/01/17/2"
}
]
},
"source": {
"discovery": "UNKNOWN"
},
"work_around": [
{
"lang": "en",
"value": "1.x users should upgrade to 1.6.1.\nUnsupported versions of the 0.x line that include this issue are: 0.13.0, 0.14.0.\nand these should upgrade to 1.6.1 as well.\n1.0.0 and 1.1.0 are also Unsupported but affected and should upgrade to 1.6.1.\n"
}
]
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2021-42357",
"datePublished": "2022-01-17T19:25:09",
"dateReserved": "2021-10-14T00:00:00",
"dateUpdated": "2024-08-04T03:30:38.347Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-5646 (GCVE-0-2017-5646)
Vulnerability from nvd – Published: 2017-05-26 21:00 – Updated: 2024-08-05 15:11
VLAI?
Summary
For versions of Apache Knox from 0.2.0 to 0.11.0 - an authenticated user may use a specially crafted URL to impersonate another user while accessing WebHDFS through Apache Knox. This may result in escalated privileges and unauthorized data access. While this activity is audit logged and can be easily associated with the authenticated user, this is still a serious security issue. All users are recommended to upgrade to the Apache Knox 0.12.0 release.
Severity ?
No CVSS data available.
CWE
- Escalated Privileges and Data Access
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Knox |
Affected:
0.2.0 to 0.11.0
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T15:11:47.380Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[knox-user] 20170526 [ANNOUNCE] CVE-2017-5646: Apache Knox Impersonation Issue for WebHDFS",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://mail-archives.apache.org/mod_mbox/knox-user/201705.mbox/%3CCACRbFyjtT7QQGHUzTRdbJoySbJb7tt4BDk5-r-VRn0GB0Kgvag%40mail.gmail.com%3E"
},
{
"name": "98739",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/98739"
},
{
"name": "[logging-dev] 20201107 Re: Chainsaw update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rcd6bcbcc08840d4e4bea661efe9a5ef8f6126ebbbc5bc266701d8f48%40%3Cdev.logging.apache.org%3E"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Knox",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "0.2.0 to 0.11.0"
}
]
}
],
"datePublic": "2017-05-26T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "For versions of Apache Knox from 0.2.0 to 0.11.0 - an authenticated user may use a specially crafted URL to impersonate another user while accessing WebHDFS through Apache Knox. This may result in escalated privileges and unauthorized data access. While this activity is audit logged and can be easily associated with the authenticated user, this is still a serious security issue. All users are recommended to upgrade to the Apache Knox 0.12.0 release."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Escalated Privileges and Data Access",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-11-08T01:06:18",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"name": "[knox-user] 20170526 [ANNOUNCE] CVE-2017-5646: Apache Knox Impersonation Issue for WebHDFS",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://mail-archives.apache.org/mod_mbox/knox-user/201705.mbox/%3CCACRbFyjtT7QQGHUzTRdbJoySbJb7tt4BDk5-r-VRn0GB0Kgvag%40mail.gmail.com%3E"
},
{
"name": "98739",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/98739"
},
{
"name": "[logging-dev] 20201107 Re: Chainsaw update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rcd6bcbcc08840d4e4bea661efe9a5ef8f6126ebbbc5bc266701d8f48%40%3Cdev.logging.apache.org%3E"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2017-5646",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Knox",
"version": {
"version_data": [
{
"version_value": "0.2.0 to 0.11.0"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "For versions of Apache Knox from 0.2.0 to 0.11.0 - an authenticated user may use a specially crafted URL to impersonate another user while accessing WebHDFS through Apache Knox. This may result in escalated privileges and unauthorized data access. While this activity is audit logged and can be easily associated with the authenticated user, this is still a serious security issue. All users are recommended to upgrade to the Apache Knox 0.12.0 release."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Escalated Privileges and Data Access"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[knox-user] 20170526 [ANNOUNCE] CVE-2017-5646: Apache Knox Impersonation Issue for WebHDFS",
"refsource": "MLIST",
"url": "http://mail-archives.apache.org/mod_mbox/knox-user/201705.mbox/%3CCACRbFyjtT7QQGHUzTRdbJoySbJb7tt4BDk5-r-VRn0GB0Kgvag%40mail.gmail.com%3E"
},
{
"name": "98739",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/98739"
},
{
"name": "[logging-dev] 20201107 Re: Chainsaw update",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rcd6bcbcc08840d4e4bea661efe9a5ef8f6126ebbbc5bc266701d8f48@%3Cdev.logging.apache.org%3E"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2017-5646",
"datePublished": "2017-05-26T21:00:00",
"dateReserved": "2017-01-29T00:00:00",
"dateUpdated": "2024-08-05T15:11:47.380Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}