Description

Apache Ambari, version 2.5.0 to 2.6.2, passwords for Hadoop credential stores are exposed in Ambari Agent informational log messages when the credential store feature is enabled for eligible services. For example, Hive and Oozie.

Remediation

References

http://www.securityfocus.com/bid/104869

https://cwiki.apache.org/confluence/display/AMBARI/Ambari+Vulnerabilities#AmbariVulnerabilities-CVE-2018-8042

Related Vulnerabilities

CVE-2022-23305 Vulnerability in maven package log4j:log4j

CVE-2020-28500 Vulnerability in maven package org.webjars.bowergithub.lodash:lodash

CVE-2023-31064 Vulnerability in maven package org.apache.inlong:manager-workflow

CVE-2021-29425 Vulnerability in maven package commons-io:commons-io

CVE-2019-17573 Vulnerability in maven package org.apache.cxf:cxf-bundle

Severity

Critical

Classification

CWE-209 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Broken Link Vendor Advisory