CVE-2025-23195
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2025-23195
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-23195.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2025-23195
- Published
- 2025-01-21T22:15:12Z
- Modified
- 2025-06-10T10:45:14.210538Z
- Summary
- [none]
- Details
-
An XML External Entity (XXE) vulnerability exists in the Ambari/Oozie project, allowing an attacker to inject malicious XML entities. This vulnerability occurs due to insecure parsing of XML input using the
DocumentBuilderFactoryclass without disabling external entity resolution. An attacker can exploit this vulnerability to read arbitrary files on the server or perform server-side request forgery (SSRF) attacks. The issue has been fixed in both Ambari 2.7.9 and the trunk branch. - References
Affected packages
Git / github.com/apache/ambari
Affected ranges
- Type
- GIT
- Repo
- https://github.com/apache/ambari
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
release-2.*
release-2.7.0
release-2.7.0-rc0
release-2.7.1
release-2.7.1-rc0
release-2.7.3
release-2.7.3-rc0
release-2.7.3-rc1
release-2.7.3-rc2
release-2.7.4
release-2.7.4-rc0
release-2.7.5
release-2.7.5-rc0
release-2.7.6
release-2.7.6-rc0
release-2.7.6-rc1
release-2.7.8
release-2.7.8-rc0