RSS   Vulnerabilities for 'Cloudera manager'   RSS

2019-11-26
 
CVE-2019-14449

CWE-79
 

 
An issue was discovered in Cloudera Manager 5.x before 5.16.2, 6.0.x before 6.0.2, and 6.1.x before 6.1.1. Malicious impala queries can result in Cross Site Scripting (XSS) when viewed within this product.

 
 
CVE-2017-7399

CWE-269
 

 
Cloudera Manager 5.8.x before 5.8.5, 5.9.x before 5.9.2, and 5.10.x before 5.10.1 allows a read-only Cloudera Manager user to discover the usernames of other users and elevate the privileges of those users.

 
 
CVE-2016-9271

CWE-79
 

 
Cloudera Manager 5.7.x before 5.7.6, 5.8.x before 5.8.4, and 5.9.x before 5.9.1 allows XSS in the help search feature.

 
 
CVE-2016-3192

CWE-312
 

 
Cloudera Manager 5.x before 5.7.1 places Sensitive Data in cleartext Readable Files.

 
 
CVE-2015-6495

CWE-200
 

 
There is Sensitive Information in Cloudera Manager before 5.4.6 Diagnostic Support Bundles.

 
 
CVE-2015-4457

CWE-79
 

 
Multiple cross-site scripting (XSS) vulnerabilities in the Cloudera Manager UI before 5.4.3 allow remote authenticated users to inject arbitrary web script or HTML using unspecified vectors.

 
2019-07-11
 
CVE-2018-11744

CWE-284
 

 
Cloudera Manager through 5.15 has Incorrect Access Control.

 
2019-07-03
 
CVE-2017-9327

CWE-275
 

 
Secret data of processes managed by CM is not secured by file permissions.

 
 
CVE-2017-9326

CWE-255
 

 
The keystore password for the Spark History Server may be exposed in unsecured files under the /var/run/cloudera-scm-agent directory managed by Cloudera Manager. The keystore file itself is not exposed.

 
2019-06-20
 
CVE-2018-15913

CWE-79
 

 
An issue was discovered in Cloudera Manager 5.x through 5.15.0. One type of page in Cloudera Manager uses a 'returnUrl' parameter to redirect the user to another page in Cloudera Manager once a wizard is completed. The validity of this parameter was not checked. As a result, the user could be automatically redirected to an attacker's external site or perform a malicious JavaScript function that results in cross-site scripting (XSS). This was fixed by not allowing any value in the returnUrl parameter with patterns such as http://, https://, //, or javascript. The only exceptions to this rule are the SAML Login/Logout URLs, which remain supported since they are explicitly configured and they are not passed via the returnUrl parameter.

 


Copyright 2020, cxsecurity.com

 

Back to Top