Viraj Jasani

**Name of the Vulnerable Software and Affected Versions** Ambari versions prior to 2.7.9 **Description** An XML External Entity (XXE) issue exists, allowing an attacker to inject malicious XML entities due to insecure parsing of XML input using the `DocumentBuilderFactory` class without disabling external entity resolution. This can be exploited to read arbitrary files on the server or perform server-side request forgery (SSRF) attacks. **Recommendations** For Ambari versions prior to 2.7.9, update to Ambari 2.7.9 or later to resolve the issue. As a temporary workaround, consider disabling the use of the `DocumentBuilderFactory` class or restrict its functionality to minimize the risk of exploitation.