CVE-2025-23196 (GCVE-0-2025-23196)

Vulnerability from cvelistv5 – Published: 2025-01-21 21:23 – Updated: 2025-02-03 08:22
VLAI?
Summary
A code injection vulnerability exists in the Ambari Alert Definition feature, allowing authenticated users to inject and execute arbitrary shell commands. The vulnerability arises when defining alert scripts, where the script filename field is executed using `sh -c`. An attacker with authenticated access can exploit this vulnerability to inject malicious commands, leading to remote code execution on the server. The issue has been fixed in the latest versions of Ambari.
Severity ?
No CVSS data available.
CWE
  • CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')
Assigner
References
Impacted products
Vendor Product Version
Apache Software Foundation Apache Ambari Affected: 8 , < 2.7.9 (semver)
Create a notification for this product.
Credits
Liyw979 robinzeng2015 fcgboy wk2025 Tari from Sangfor Company
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-01-21T23:02:44.790Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2025/01/21/8"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 8.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-23196",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-01-22T14:47:59.283725Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-01-22T14:48:12.311Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Apache Ambari",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThan": "2.7.9",
              "status": "affected",
              "version": "8",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "Liyw979"
        },
        {
          "lang": "en",
          "type": "reporter",
          "value": "robinzeng2015"
        },
        {
          "lang": "en",
          "type": "reporter",
          "value": "fcgboy"
        },
        {
          "lang": "en",
          "type": "reporter",
          "value": "wk2025"
        },
        {
          "lang": "en",
          "type": "reporter",
          "value": "Tari from Sangfor Company"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "A code injection vulnerability exists in the Ambari Alert Definition \nfeature, allowing authenticated users to inject and execute arbitrary \nshell commands. The vulnerability arises when defining alert scripts, \nwhere the script filename field is executed using `sh -c`. An attacker \nwith authenticated access can exploit this vulnerability to inject \nmalicious commands, leading to remote code execution on the server. The \nissue has been fixed in the latest versions of Ambari."
            }
          ],
          "value": "A code injection vulnerability exists in the Ambari Alert Definition \nfeature, allowing authenticated users to inject and execute arbitrary \nshell commands. The vulnerability arises when defining alert scripts, \nwhere the script filename field is executed using `sh -c`. An attacker \nwith authenticated access can exploit this vulnerability to inject \nmalicious commands, leading to remote code execution on the server. The \nissue has been fixed in the latest versions of Ambari."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "text": "important"
            },
            "type": "Textual description of severity"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-77",
              "description": "CWE-77 Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-02-03T08:22:56.454Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.apache.org/thread/70g1l5lxvko7kvhyxmtmklhhfrlon837"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Apache Ambari: Code Injection Vulnerability in Ambari Alert Definition",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2025-23196",
    "datePublished": "2025-01-21T21:23:41.389Z",
    "dateReserved": "2025-01-13T14:43:54.173Z",
    "dateUpdated": "2025-02-03T08:22:56.454Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-23196\",\"sourceIdentifier\":\"security@apache.org\",\"published\":\"2025-01-21T22:15:12.987\",\"lastModified\":\"2025-06-09T19:42:00.100\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A code injection vulnerability exists in the Ambari Alert Definition \\nfeature, allowing authenticated users to inject and execute arbitrary \\nshell commands. The vulnerability arises when defining alert scripts, \\nwhere the script filename field is executed using `sh -c`. An attacker \\nwith authenticated access can exploit this vulnerability to inject \\nmalicious commands, leading to remote code execution on the server. The \\nissue has been fixed in the latest versions of Ambari.\"},{\"lang\":\"es\",\"value\":\"Existe una vulnerabilidad de inyecci\u00f3n de c\u00f3digo en la funci\u00f3n de definici\u00f3n de alertas de Ambari, que permite a los usuarios autenticados inyectar y ejecutar comandos de shell arbitrarios. La vulnerabilidad surge al definir la alerta scripts, donde el campo de nombre de archivo script se ejecuta utilizando `sh -c`. Un atacante con acceso autenticado puede aprovechar esta vulnerabilidad para inyectar comandos maliciosos, lo que lleva a la ejecuci\u00f3n remota de c\u00f3digo en el servidor. El problema se ha solucionado en las \u00faltimas versiones de Ambari.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security@apache.org\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-77\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:ambari:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"2.7.9\",\"matchCriteriaId\":\"DAB94B88-4AAB-4690-8A00-DD223D72E8D4\"}]}]}],\"references\":[{\"url\":\"https://lists.apache.org/thread/70g1l5lxvko7kvhyxmtmklhhfrlon837\",\"source\":\"security@apache.org\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://www.openwall.com/lists/oss-security/2025/01/21/8\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"http://www.openwall.com/lists/oss-security/2025/01/21/8\"}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2025-01-21T23:02:44.790Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 8.8, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-23196\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-01-22T14:47:59.283725Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-01-22T14:46:48.575Z\"}}], \"cna\": {\"title\": \"Apache Ambari: Code Injection Vulnerability in Ambari Alert Definition\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"reporter\", \"value\": \"Liyw979\"}, {\"lang\": \"en\", \"type\": \"reporter\", \"value\": \"robinzeng2015\"}, {\"lang\": \"en\", \"type\": \"reporter\", \"value\": \"fcgboy\"}, {\"lang\": \"en\", \"type\": \"reporter\", \"value\": \"wk2025\"}, {\"lang\": \"en\", \"type\": \"reporter\", \"value\": \"Tari from Sangfor Company\"}], \"metrics\": [{\"other\": {\"type\": \"Textual description of severity\", \"content\": {\"text\": \"important\"}}}], \"affected\": [{\"vendor\": \"Apache Software Foundation\", \"product\": \"Apache Ambari\", \"versions\": [{\"status\": \"affected\", \"version\": \"8\", \"lessThan\": \"2.7.9\", \"versionType\": \"semver\"}], \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://lists.apache.org/thread/70g1l5lxvko7kvhyxmtmklhhfrlon837\", \"tags\": [\"vendor-advisory\"]}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"A code injection vulnerability exists in the Ambari Alert Definition \\nfeature, allowing authenticated users to inject and execute arbitrary \\nshell commands. The vulnerability arises when defining alert scripts, \\nwhere the script filename field is executed using `sh -c`. An attacker \\nwith authenticated access can exploit this vulnerability to inject \\nmalicious commands, leading to remote code execution on the server. The \\nissue has been fixed in the latest versions of Ambari.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"A code injection vulnerability exists in the Ambari Alert Definition \\nfeature, allowing authenticated users to inject and execute arbitrary \\nshell commands. The vulnerability arises when defining alert scripts, \\nwhere the script filename field is executed using `sh -c`. An attacker \\nwith authenticated access can exploit this vulnerability to inject \\nmalicious commands, leading to remote code execution on the server. The \\nissue has been fixed in the latest versions of Ambari.\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-77\", \"description\": \"CWE-77 Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"f0158376-9dc2-43b6-827c-5f631a4d8d09\", \"shortName\": \"apache\", \"dateUpdated\": \"2025-02-03T08:22:56.454Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-23196\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-02-03T08:22:56.454Z\", \"dateReserved\": \"2025-01-13T14:43:54.173Z\", \"assignerOrgId\": \"f0158376-9dc2-43b6-827c-5f631a4d8d09\", \"datePublished\": \"2025-01-21T21:23:41.389Z\", \"assignerShortName\": \"apache\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.