Description

An XML External Entity (XXE) vulnerability exists in the Ambari/Oozie project, allowing an attacker to inject malicious XML entities. This vulnerability occurs due to insecure parsing of XML input using the `DocumentBuilderFactory` class without disabling external entity resolution. An attacker can exploit this vulnerability to read arbitrary files on the server or perform server-side request forgery (SSRF) attacks. The issue has been fixed in both Ambari 2.7.9 and the trunk branch.

INFO

Published Date :

2025-01-21T21:22:33.286Z

Last Modified :

2025-01-22T14:49:46.312Z

Source :

apache
AFFECTED PRODUCTS

The following products are affected by CVE-2025-23195 vulnerability.

Vendors Products
Apache
  • Ambari
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-23195.

URL Resource
http://www.openwall.com/lists/oss-security/2025/01/21/7 cve-icon
https://lists.apache.org/thread/hsb6mvxd7g37dq1ygtd0pd88gs9tfcwq cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact