Vulnerability Description
For versions of Apache Knox from 0.2.0 to 0.11.0 - an authenticated user may use a specially crafted URL to impersonate another user while accessing WebHDFS through Apache Knox. This may result in escalated privileges and unauthorized data access. While this activity is audit logged and can be easily associated with the authenticated user, this is still a serious security issue. All users are recommended to upgrade to the Apache Knox 0.12.0 release.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apache | Knox | 0.2.0 |
Related Weaknesses (CWE)
References
- http://mail-archives.apache.org/mod_mbox/knox-user/201705.mbox/%3CCACRbFyjtT7QQGMailing ListVendor Advisory
- http://www.securityfocus.com/bid/98739Third Party AdvisoryVDB Entry
- https://lists.apache.org/thread.html/rcd6bcbcc08840d4e4bea661efe9a5ef8f6126ebbbc
- http://mail-archives.apache.org/mod_mbox/knox-user/201705.mbox/%3CCACRbFyjtT7QQGMailing ListVendor Advisory
- http://www.securityfocus.com/bid/98739Third Party AdvisoryVDB Entry
- https://lists.apache.org/thread.html/rcd6bcbcc08840d4e4bea661efe9a5ef8f6126ebbbc
FAQ
What is CVE-2017-5646?
CVE-2017-5646 is a vulnerability with a CVSS score of 6.8 (MEDIUM). For versions of Apache Knox from 0.2.0 to 0.11.0 - an authenticated user may use a specially crafted URL to impersonate another user while accessing WebHDFS through Apache Knox. This may result in esc...
How severe is CVE-2017-5646?
CVE-2017-5646 has been rated MEDIUM with a CVSS base score of 6.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2017-5646?
Check the references section above for vendor advisories and patch information. Affected products include: Apache Knox.