CVE-2018-20091

Name of the Vulnerable Software and Affected Versions Cloudera Data Science Workbench versions 1.4.0 through 1.4.2

Description An SQL injection issue was found, allowing any authenticated user to run arbitrary queries against the internal database. This database contains user contact information, encrypted passwords, API keys, and stored Kerberos keytabs.

Recommendations For Cloudera Data Science Workbench versions 1.4.0 through 1.4.2, consider restricting access to the internal database to minimize the risk of exploitation until a patch is available. As a temporary workaround, limit the privileges of authenticated users to prevent them from running arbitrary queries against the database.