CVE-2016-4948

Name of the Vulnerable Software and Affected Versions Cloudera Manager versions 5.5 and earlier

Description The issue allows remote attackers to inject arbitrary web script or HTML via several fields in the Kerberos wizard, including the Template Name field, KDC Server host, Kerberos Security Realm, Kerberos Encryption Types, and various Advanced Configuration Snippet fields. Additionally, the classicWizard parameter to cmf/cloudera-director/redirect is vulnerable.

Recommendations For Cloudera Manager versions 5.5 and earlier, update to a version later than 5.5 to resolve the issue. As a temporary workaround, consider restricting access to the Kerberos wizard and avoiding use of the vulnerable fields until a patch is available. Avoid using the classicWizard parameter to cmf/cloudera-director/redirect until the issue is resolved.