PT-2018-10730 · Cloudera · Hue
Published
2018-06-01
·
Updated
2018-06-27
·
CVE-2018-11649
CVSS v3.1
6.1
Medium
| Vector | AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Hue version 3.12
Description
The issue is related to a security problem where an attacker can execute malicious scripts. This is achieved through the
/pig/save/ endpoint, specifically by manipulating the name and script parameters.Recommendations
For Hue version 3.12, consider restricting access to the
/pig/save/ endpoint until a patch is available. As a temporary workaround, avoid using the name and script parameters in this endpoint to minimize the risk of exploitation.Exploit
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Hue