CVE-2025-23196
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2025-23196
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-23196.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2025-23196
- Published
- 2025-01-21T22:15:12Z
- Modified
- 2025-06-10T10:45:14.456049Z
- Summary
- [none]
- Details
-
A code injection vulnerability exists in the Ambari Alert Definition feature, allowing authenticated users to inject and execute arbitrary shell commands. The vulnerability arises when defining alert scripts, where the script filename field is executed using
sh -c. An attacker with authenticated access can exploit this vulnerability to inject malicious commands, leading to remote code execution on the server. The issue has been fixed in the latest versions of Ambari. - References
Affected packages
Git / github.com/apache/ambari
Affected ranges
- Type
- GIT
- Repo
- https://github.com/apache/ambari
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
release-2.*
release-2.7.0
release-2.7.0-rc0
release-2.7.1
release-2.7.1-rc0
release-2.7.3
release-2.7.3-rc0
release-2.7.3-rc1
release-2.7.3-rc2
release-2.7.4
release-2.7.4-rc0
release-2.7.5
release-2.7.5-rc0
release-2.7.6
release-2.7.6-rc0
release-2.7.6-rc1
release-2.7.8
release-2.7.8-rc0