CVE-2016-6807 - OpenCVE

Custom commands may be executed on Ambari Agent (2.4.x, before 2.4.2) hosts without authorization, leading to unauthorized access to operations that may affect the underlying system. Such operations are invoked by the Ambari Agent process on Ambari Agent hosts, as the user executing the Ambari Agent process.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:N/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Apache	Ambari

Configuration 1 [-]

OR	cpe:2.3:a:apache:ambari:2.4.0:::::::*
	cpe:2.3:a:apache:ambari:2.4.1:::::::*

No data.

References

Link	Providers
http://www.securityfocus.com/bid/97184
https://cwiki.apache.org/confluence/display/AMBARI/Ambari+Vulnerabilities#AmbariVulnerabilities-FixedinAmbari2.4.2

History

No history.

MITRE

Status: PUBLISHED

Assigner: apache

Published: 2017-03-28T20:00:00

Updated: 2024-08-06T01:43:37.895Z

Reserved: 2016-08-12T00:00:00

Link: CVE-2016-6807

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2017-03-28T20:59:00.170

Modified: 2017-04-04T15:42:19.547

Link: CVE-2016-6807

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Apache Ambari", "vendor": "Apache Software Foundation", "versions": [{"status": "affected", "version": "2.4.x before 2.4.2"}]}], "datePublic": "2016-11-15T00:00:00", "descriptions": [{"lang": "en", "value": "Custom commands may be executed on Ambari Agent (2.4.x, before 2.4.2) hosts without authorization, leading to unauthorized access to operations that may affect the underlying system. Such operations are invoked by the Ambari Agent process on Ambari Agent hosts, as the user executing the Ambari Agent process."}], "problemTypes": [{"descriptions": [{"description": "missing authorization check", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-03-30T09:57:01", "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache"}, "references": [{"name": "97184", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/97184"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://cwiki.apache.org/confluence/display/AMBARI/Ambari+Vulnerabilities#AmbariVulnerabilities-FixedinAmbari2.4.2"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@apache.org", "ID": "CVE-2016-6807", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Apache Ambari", "version": {"version_data": [{"version_value": "2.4.x before 2.4.2"}]}}]}, "vendor_name": "Apache Software Foundation"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Custom commands may be executed on Ambari Agent (2.4.x, before 2.4.2) hosts without authorization, leading to unauthorized access to operations that may affect the underlying system. Such operations are invoked by the Ambari Agent process on Ambari Agent hosts, as the user executing the Ambari Agent process."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "missing authorization check"}]}]}, "references": {"reference_data": [{"name": "97184", "refsource": "BID", "url": "http://www.securityfocus.com/bid/97184"}, {"name": "https://cwiki.apache.org/confluence/display/AMBARI/Ambari+Vulnerabilities#AmbariVulnerabilities-FixedinAmbari2.4.2", "refsource": "CONFIRM", "url": "https://cwiki.apache.org/confluence/display/AMBARI/Ambari+Vulnerabilities#AmbariVulnerabilities-FixedinAmbari2.4.2"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T01:43:37.895Z"}, "title": "CVE Program Container", "references": [{"name": "97184", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/97184"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://cwiki.apache.org/confluence/display/AMBARI/Ambari+Vulnerabilities#AmbariVulnerabilities-FixedinAmbari2.4.2"}]}]}, "cveMetadata": {"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "cveId": "CVE-2016-6807", "datePublished": "2017-03-28T20:00:00", "dateReserved": "2016-08-12T00:00:00", "dateUpdated": "2024-08-06T01:43:37.895Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:ambari:2.4.0:*:*:*:*:*:*:*", "matchCriteriaId": "243741C6-FCA5-4E8F-93A6-033144214F31", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:ambari:2.4.1:*:*:*:*:*:*:*", "matchCriteriaId": "114B2179-C5A7-4802-9A3C-580BF8153285", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Custom commands may be executed on Ambari Agent (2.4.x, before 2.4.2) hosts without authorization, leading to unauthorized access to operations that may affect the underlying system. Such operations are invoked by the Ambari Agent process on Ambari Agent hosts, as the user executing the Ambari Agent process."}, {"lang": "es", "value": "Los comandos personalizados pueden ser ejecutados en hosts Ambari Agent (2.4.x, en versiones anteriores a 2.4.2) sin autorizaci\u00f3n, lo que lleva a una acceso no autorizado a operaciones que pueden afectar a sistema subyacente. Tales operaciones son invocadas por el proceso Ambari Agent en el hosts Ambari Agent, com el usuario que ejecuta el proceso Ambari Agent."}], "id": "CVE-2016-6807", "lastModified": "2017-04-04T15:42:19.547", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2017-03-28T20:59:00.170", "references": [{"source": "security@apache.org", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/97184"}, {"source": "security@apache.org", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://cwiki.apache.org/confluence/display/AMBARI/Ambari+Vulnerabilities#AmbariVulnerabilities-FixedinAmbari2.4.2"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}], "source": "nvd@nist.gov", "type": "Primary"}]}