CVE-2017-5646

For versions of Apache Knox from 0.2.0 to 0.11.0 - an authenticated user may use a specially crafted URL to impersonate another user while accessing WebHDFS through Apache Knox. This may result in escalated privileges and unauthorized data access. While this activity is audit logged and can be easily associated with the authenticated user, this is still a serious security issue. All users are recommended to upgrade to the Apache Knox 0.12.0 release.

CVSS v3 6.8 MEDIUM
CVSS v2.0 4.9 MEDIUM

6.8^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.6 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

4.9^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:M/Au:S/C:P/I:P/A:N

Exploitability : 6.8 / Impact : 4.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
http://mail-archives.apache.org/mod_mbox/knox-user/201705.mbox/%3CCACRbFyjtT7QQGHUzTRdbJoySbJb7tt4BDk5-r-VRn0GB0Kgvag%40mail.gmail.com%3E	Mailing List Vendor Advisory
http://www.securityfocus.com/bid/98739	Third Party Advisory VDB Entry
https://lists.apache.org/thread.html/rcd6bcbcc08840d4e4bea661efe9a5ef8f6126ebbbc5bc266701d8f48%40%3Cdev.logging.apache.org%3E

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:apache:knox:0.2.0:::::::*
	cpe:2.3:a:apache:knox:0.3.0:::::::*
	cpe:2.3:a:apache:knox:0.4.0:::::::*
	cpe:2.3:a:apache:knox:0.5.0:::::::*
	cpe:2.3:a:apache:knox:0.6.0:::::::*
	cpe:2.3:a:apache:knox:0.7.0:::::::*
	cpe:2.3:a:apache:knox:0.8.0:::::::*
	cpe:2.3:a:apache:knox:0.9.0:::::::*
	cpe:2.3:a:apache:knox:0.10.0:::::::*
	cpe:2.3:a:apache:knox:0.11.0:::::::*

History

07 Nov 2023, 02:49

Type	Values Removed	Values Added
References	{'url': 'https://lists.apache.org/thread.html/rcd6bcbcc08840d4e4bea661efe9a5ef8f6126ebbbc5bc266701d8f48@%3Cdev.logging.apache.org%3E', 'name': '[logging-dev] 20201107 Re: Chainsaw update', 'tags': ['Mailing List', 'Vendor Advisory'], 'refsource': 'MLIST'}	() https://lists.apache.org/thread.html/rcd6bcbcc08840d4e4bea661efe9a5ef8f6126ebbbc5bc266701d8f48%40%3Cdev.logging.apache.org%3E -

06 Apr 2021, 12:54

Type	Values Removed	Values Added
References	~~(MLIST) https://lists.apache.org/thread.html/rcd6bcbcc08840d4e4bea661efe9a5ef8f6126ebbbc5bc266701d8f48@%3Cdev.logging.apache.org%3E -~~	(MLIST) https://lists.apache.org/thread.html/rcd6bcbcc08840d4e4bea661efe9a5ef8f6126ebbbc5bc266701d8f48@%3Cdev.logging.apache.org%3E - Mailing List, Vendor Advisory

Information

Published : 2017-05-26 21:29

Updated : 2023-12-10 12:15

NVD link : CVE-2017-5646

Mitre link : CVE-2017-5646

CVE.ORG link : CVE-2017-5646

JSON object : View

Products Affected

apache

knox

CWE

CWE-346

Origin Validation Error

6.8 /10

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

4.9 /10

Access Vector NETWORK

Access Complexity MEDIUM

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact NONE

JSON object

Attach tags to CVE-2017-5646

6.8^/10

4.9^/10

Attach tags to `CVE-2017-5646`