Cloudera Manager 4.8.2 / 5.0.0 Information Disclosure

2014.06.06
Credit: Anonymous
Risk: Low
Local: No
Remote: Yes
CWE: CWE-200


CVSS Base Score: 4/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8/10
Exploit range: Remote
Attack complexity: Low
Authentication: Single time
Confidentiality impact: Partial
Integrity impact: None
Availability impact: None

------------------------------------------------------------------------------------------ Technical Service Bulletin 2014-28 (TSB) Title: Security Vulnerability: Sensitive Configuration Values Exposed in Cloudera Manager Certain configuration values that are stored in Cloudera Manager are considered 'sensitive', such as database passwords. These configuration values are expected to be inaccessible to non-admin users, and this is enforced in the Cloudera Manager Admin Console. However, these configuration values are not redacted when reading them through the API, possibly making them accessible to users who should not have such access. Products affected: Cloudera Manager Releases affected: Cloudera Manager 4.8.2 and lower, Cloudera Manager 5.0.0 Users Affected: Cloudera Manager installations with non-admin users Date/time of detection: May 7, 2014 Severity: High Impact: Through the API only, non-admin users can access potentially sensitive configuration information CVE: CVE-2014-0220 Immediate action required: See the following knowledge base article: Security Vulnerability: Sensitive Configuration Values Exposed in Cloudera Manager ETA for resolution: May 13, 2014 Addressed in release/refresh/patch: Cloudera Manager 4.8.3 and 5.0.1 ------------------------------------------------------------------------------------------


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top