FKIE_CVE-2017-15712

Vulnerability from fkie_nvd - Published: 2018-02-19 14:29 - Updated: 2024-11-21 03:15
Severity ?
6.5 (Medium) - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Summary
Vulnerability allows a user of Apache Oozie 3.1.3-incubating to 4.3.0 and 5.0.0-beta1 to expose private files on the Oozie server process. The malicious user can construct a workflow XML file containing XML directives and configuration that reference sensitive files on the Oozie server host.
References
security@apache.orghttp://www.securityfocus.com/bid/103102Third Party Advisory, VDB Entry
security@apache.orghttps://lists.apache.org/thread.html/4606709264fe7cb0285e2a12aca2d01a06b14cd58791c9fc32abd216%40%3Cdev.oozie.apache.org%3E
af854a3a-2127-422b-91ae-364da2661108http://www.securityfocus.com/bid/103102Third Party Advisory, VDB Entry
af854a3a-2127-422b-91ae-364da2661108https://lists.apache.org/thread.html/4606709264fe7cb0285e2a12aca2d01a06b14cd58791c9fc32abd216%40%3Cdev.oozie.apache.org%3E
Impacted products
Vendor Product Version
apache oozie 3.1.2
apache oozie 3.1.3
apache oozie 3.2
apache oozie 3.2.0
apache oozie 3.2.0
apache oozie 3.3.0
apache oozie 3.3.0
apache oozie 3.3.0
apache oozie 3.3.1
apache oozie 3.3.1
apache oozie 3.3.1
apache oozie 3.3.2
apache oozie 3.3.2
apache oozie 4.0.0
apache oozie 4.0.0
apache oozie 4.0.0
apache oozie 4.0.0
apache oozie 4.0.1
apache oozie 4.0.1
apache oozie 4.0.1
apache oozie 4.1.0
apache oozie 4.1.0
apache oozie 4.1.0
apache oozie 4.2.0
apache oozie 4.2.0
apache oozie 4.3.0
apache oozie 4.3.0
apache oozie 4.3.0
apache oozie 5.0.0
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:apache:oozie:3.1.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "8E27E277-5C05-4A7F-8F3A-705A69CC64C1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:oozie:3.1.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "553025E8-0C63-4884-AF2B-DE273495FEE6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:oozie:3.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "3FDD671D-4BB7-4E34-9FA3-9CBC5D8C72E4",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:oozie:3.2.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "61DE1BFA-1092-451C-8298-2B18E504C0F5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:oozie:3.2.0:incubating:*:*:*:*:*:*",
              "matchCriteriaId": "2E3F39F1-D6A4-4A3D-A599-BDA44C35F325",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:oozie:3.3.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "3FB5A75F-E3D6-4473-ACC9-A395784E9257",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:oozie:3.3.0:rc0:*:*:*:*:*:*",
              "matchCriteriaId": "54AA2C05-D12A-40B2-9057-678DE35A26D0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:oozie:3.3.0:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "E7EF67B4-BAFB-487D-972C-258213C6A400",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:oozie:3.3.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "1D645772-64AA-4D4D-9206-A858592E053D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:oozie:3.3.1:rc0:*:*:*:*:*:*",
              "matchCriteriaId": "34085D87-5EE4-478D-8A6B-97E05F965AFF",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:oozie:3.3.1:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "5682A48E-976D-4F0D-BA4C-63B42788500F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:oozie:3.3.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "0B0D2683-519E-4833-9A68-0EA11DF93829",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:oozie:3.3.2:rc0:*:*:*:*:*:*",
              "matchCriteriaId": "4AA8E7A5-530A-4EEE-8613-ECD01CCFA0B8",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:oozie:4.0.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "D6A0A49A-A1B4-4FEB-94E3-762E40A816E0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:oozie:4.0.0:rc0:*:*:*:*:*:*",
              "matchCriteriaId": "92AFFD7F-3B8F-4A06-9EF9-C1BFC6D97519",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:oozie:4.0.0:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "160E96D4-289C-4021-B1D7-2EA9001150A1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:oozie:4.0.0:rc3:*:*:*:*:*:*",
              "matchCriteriaId": "8DEC1364-33EE-41EB-8692-9039BA7D7969",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:oozie:4.0.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "3A24D04C-CE3C-49FF-B340-D204CFF458E9",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:oozie:4.0.1:rc0:*:*:*:*:*:*",
              "matchCriteriaId": "7EC90787-032C-48CC-BCAF-F1D0123B73B5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:oozie:4.0.1:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "963D7266-7665-4849-867F-4DDEC8166813",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:oozie:4.1.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "CE25673C-5D56-42CF-8611-E6189B6A7FD4",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:oozie:4.1.0:rc0:*:*:*:*:*:*",
              "matchCriteriaId": "6343A815-8D76-458C-BB3E-2B095543DA2F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:oozie:4.1.0:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "6E2BC58D-1695-453B-809C-EAC92D2BDD24",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:oozie:4.2.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "30F5CE52-B0A6-433E-B8C0-346A9E16FC7F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:oozie:4.2.0:rc0:*:*:*:*:*:*",
              "matchCriteriaId": "CF297DCD-64F6-4035-9998-010CEE6E59F3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:oozie:4.3.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "DD866B64-C655-4FEA-B1DA-012A0AE5397F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:oozie:4.3.0:rc0:*:*:*:*:*:*",
              "matchCriteriaId": "39A5D900-5625-4653-BC46-B42E2BF97D86",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:oozie:4.3.0:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "0C14F101-7DBA-4872-A055-45B0D6DE2F1D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:oozie:5.0.0:beta1:*:*:*:*:*:*",
              "matchCriteriaId": "3C5FADBD-3A42-4BA4-A48E-3AB3AF941C48",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Vulnerability allows a user of Apache Oozie 3.1.3-incubating to 4.3.0 and 5.0.0-beta1 to expose private files on the Oozie server process. The malicious user can construct a workflow XML file containing XML directives and configuration that reference sensitive files on the Oozie server host."
    },
    {
      "lang": "es",
      "value": "Vulnerabilidad permite que un usuario de Apache Oozie desde la versi\u00f3n 3.1.3-incubating hasta la 4.3.0 y 5.0.0-beta1 exponga archivos privados en el proceso del servidor Oozie. Este usuario malicioso puede construir un archivo XML de flujo de trabajo que contenga directivas XML y configuraci\u00f3n que haga referencia a archivos sensibles en el host del servidor del Oozie."
    }
  ],
  "id": "CVE-2017-15712",
  "lastModified": "2024-11-21T03:15:03.943",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "SINGLE",
          "availabilityImpact": "NONE",
          "baseScore": 6.8,
          "confidentialityImpact": "COMPLETE",
          "integrityImpact": "NONE",
          "vectorString": "AV:N/AC:L/Au:S/C:C/I:N/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 8.0,
        "impactScore": 6.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV30": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
          "version": "3.0"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2018-02-19T14:29:00.207",
  "references": [
    {
      "source": "security@apache.org",
      "tags": [
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://www.securityfocus.com/bid/103102"
    },
    {
      "source": "security@apache.org",
      "url": "https://lists.apache.org/thread.html/4606709264fe7cb0285e2a12aca2d01a06b14cd58791c9fc32abd216%40%3Cdev.oozie.apache.org%3E"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://www.securityfocus.com/bid/103102"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.apache.org/thread.html/4606709264fe7cb0285e2a12aca2d01a06b14cd58791c9fc32abd216%40%3Cdev.oozie.apache.org%3E"
    }
  ],
  "sourceIdentifier": "security@apache.org",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-22"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.