cnvd - cnvd-2018-04837

CNVD-2018-04837

Vulnerability from cnvd - Published: 2018-03-12

Title

Cloudera Data Science Workbench权限提升漏洞

Description

Cloudera Data Science Workbench（CDSW）是美国Cloudera公司的一套数据科学平台。该平台为企业提供快速、简易且安全的自助式数据科学支持。 CDSW 1.2.0之前1.x版本中存在安全漏洞。攻击者可利用该漏洞提升权限，获取CDSW节点、数据库和其他特权信息（例如：会话令牌和环境变量）。

Severity

高

Patch Name

Cloudera Data Science Workbench权限提升漏洞的补丁

Patch Description

Formal description

厂商已发布漏洞修复程序，请及时关注更新： https://www.cloudera.com/documentation/other/security-bulletins/topics/Security-Bulletin.html#tsb_248

Reference

https://nvd.nist.gov/vuln/detail/CVE-2017-15536

Impacted products

Name
Cloudera Cloudera Data Science Workbench（CDSW） 1.*，<1.2.0

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2017-15536"
    }
  },
  "description": "Cloudera Data Science Workbench\uff08CDSW\uff09\u662f\u7f8e\u56fdCloudera\u516c\u53f8\u7684\u4e00\u5957\u6570\u636e\u79d1\u5b66\u5e73\u53f0\u3002\u8be5\u5e73\u53f0\u4e3a\u4f01\u4e1a\u63d0\u4f9b\u5feb\u901f\u3001\u7b80\u6613\u4e14\u5b89\u5168\u7684\u81ea\u52a9\u5f0f\u6570\u636e\u79d1\u5b66\u652f\u6301\u3002\r\n\r\nCDSW 1.2.0\u4e4b\u524d1.x\u7248\u672c\u4e2d\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u63d0\u5347\u6743\u9650\uff0c\u83b7\u53d6CDSW\u8282\u70b9\u3001\u6570\u636e\u5e93\u548c\u5176\u4ed6\u7279\u6743\u4fe1\u606f\uff08\u4f8b\u5982\uff1a\u4f1a\u8bdd\u4ee4\u724c\u548c\u73af\u5883\u53d8\u91cf\uff09\u3002",
  "discovererName": "unknwon",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://www.cloudera.com/documentation/other/security-bulletins/topics/Security-Bulletin.html#tsb_248",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2018-04837",
  "openTime": "2018-03-12",
  "patchDescription": "Cloudera Data Science Workbench\uff08CDSW\uff09\u662f\u7f8e\u56fdCloudera\u516c\u53f8\u7684\u4e00\u5957\u6570\u636e\u79d1\u5b66\u5e73\u53f0\u3002\u8be5\u5e73\u53f0\u4e3a\u4f01\u4e1a\u63d0\u4f9b\u5feb\u901f\u3001\u7b80\u6613\u4e14\u5b89\u5168\u7684\u81ea\u52a9\u5f0f\u6570\u636e\u79d1\u5b66\u652f\u6301\u3002\r\n\r\nCDSW 1.2.0\u4e4b\u524d1.x\u7248\u672c\u4e2d\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u63d0\u5347\u6743\u9650\uff0c\u83b7\u53d6CDSW\u8282\u70b9\u3001\u6570\u636e\u5e93\u548c\u5176\u4ed6\u7279\u6743\u4fe1\u606f\uff08\u4f8b\u5982\uff1a\u4f1a\u8bdd\u4ee4\u724c\u548c\u73af\u5883\u53d8\u91cf\uff09\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Cloudera Data Science Workbench\u6743\u9650\u63d0\u5347\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "Cloudera Cloudera Data Science Workbench\uff08CDSW\uff09 1.*\uff0c\u003c1.2.0"
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2017-15536",
  "serverity": "\u9ad8",
  "submitTime": "2018-02-05",
  "title": "Cloudera Data Science Workbench\u6743\u9650\u63d0\u5347\u6f0f\u6d1e"
}

CVE-2017-15536 (GCVE-0-2017-15536)

Vulnerability from cvelistv5 – Published: 2018-02-05 03:00 – Updated: 2024-08-05 19:57

Summary

An issue was discovered in Cloudera Data Science Workbench (CDSW) 1.x before 1.2.0. Several web application vulnerabilities allow malicious authenticated users of CDSW to escalate privileges in CDSW. CDSW users can exploit these vulnerabilities in combination to gain root access to CDSW nodes, gain access to the CDSW database which includes Kerberos keytabs of CDSW users and bcrypt hashed passwords, and gain access to other privileged information such as session tokens, invitation tokens, and environment variables.

Severity ?

No CVSS data available.

CWE

Assigner

mitre

References

URL

Tags

https://www.cloudera.com/documentation/other/secu…

x_refsource_CONFIRM

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T19:57:26.340Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.cloudera.com/documentation/other/security-bulletins/topics/Security-Bulletin.html#tsb_248"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2018-02-04T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "An issue was discovered in Cloudera Data Science Workbench (CDSW) 1.x before 1.2.0. Several web application vulnerabilities allow malicious authenticated users of CDSW to escalate privileges in CDSW. CDSW users can exploit these vulnerabilities in combination to gain root access to CDSW nodes, gain access to the CDSW database which includes Kerberos keytabs of CDSW users and bcrypt hashed passwords, and gain access to other privileged information such as session tokens, invitation tokens, and environment variables."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2018-02-05T02:57:01",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.cloudera.com/documentation/other/security-bulletins/topics/Security-Bulletin.html#tsb_248"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2017-15536",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "An issue was discovered in Cloudera Data Science Workbench (CDSW) 1.x before 1.2.0. Several web application vulnerabilities allow malicious authenticated users of CDSW to escalate privileges in CDSW. CDSW users can exploit these vulnerabilities in combination to gain root access to CDSW nodes, gain access to the CDSW database which includes Kerberos keytabs of CDSW users and bcrypt hashed passwords, and gain access to other privileged information such as session tokens, invitation tokens, and environment variables."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.cloudera.com/documentation/other/security-bulletins/topics/Security-Bulletin.html#tsb_248",
              "refsource": "CONFIRM",
              "url": "https://www.cloudera.com/documentation/other/security-bulletins/topics/Security-Bulletin.html#tsb_248"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2017-15536",
    "datePublished": "2018-02-05T03:00:00",
    "dateReserved": "2017-10-17T00:00:00",
    "dateUpdated": "2024-08-05T19:57:26.340Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2018-04837

CVE-2017-15536 (GCVE-0-2017-15536)

Tags

Sightings

Nomenclature