PT-2017-8629 · Cloudera · Cloudera Manager
Published
2017-03-07
·
Updated
2017-03-09
·
CVE-2016-4949
CVSS v3.1
7.5
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Cloudera Manager versions 5.5 and earlier
Description
The issue allows remote attackers to obtain sensitive information. This can be achieved by manipulating the
filename parameter in the "/cmf/process//logs" endpoint, specifically by using a (1) stderr.log or (2) stdout.log value.Recommendations
For Cloudera Manager versions 5.5 and earlier, consider restricting access to the "/cmf/process//logs" endpoint to minimize the risk of exploitation. Avoid using the
filename parameter with sensitive log values until the issue is resolved.Fix
Information Disclosure
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Cloudera Manager