An XML External Entity (XXE) vulnerability exists in the Ambari/Oozie
project, allowing an attacker to inject malicious XML entities. This
vulnerability occurs due to insecure parsing of XML input using the
`DocumentBuilderFactory` class without disabling external entity
resolution. An attacker can exploit this vulnerability to read arbitrary
files on the server or perform server-side request forgery (SSRF)
attacks. The issue has been fixed in both Ambari 2.7.9 and the trunk
branch.
project, allowing an attacker to inject malicious XML entities. This
vulnerability occurs due to insecure parsing of XML input using the
`DocumentBuilderFactory` class without disabling external entity
resolution. An attacker can exploit this vulnerability to read arbitrary
files on the server or perform server-side request forgery (SSRF)
attacks. The issue has been fixed in both Ambari 2.7.9 and the trunk
branch.
Metrics
Affected Vendors & Products
References
History
Mon, 09 Jun 2025 20:00:00 +0000
Type | Values Removed | Values Added |
---|---|---|
First Time appeared |
Apache
Apache ambari |
|
CPEs | cpe:2.3:a:apache:ambari:*:*:*:*:*:*:*:* | |
Vendors & Products |
Apache
Apache ambari |
Wed, 22 Jan 2025 15:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Metrics |
cvssV3_1
|
Tue, 21 Jan 2025 23:45:00 +0000
Type | Values Removed | Values Added |
---|---|---|
References |
|
Tue, 21 Jan 2025 21:30:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | An XML External Entity (XXE) vulnerability exists in the Ambari/Oozie project, allowing an attacker to inject malicious XML entities. This vulnerability occurs due to insecure parsing of XML input using the `DocumentBuilderFactory` class without disabling external entity resolution. An attacker can exploit this vulnerability to read arbitrary files on the server or perform server-side request forgery (SSRF) attacks. The issue has been fixed in both Ambari 2.7.9 and the trunk branch. | |
Title | Apache Ambari: XML External Entity (XXE) Vulnerability in Ambari/Oozie | |
Weaknesses | CWE-611 | |
References |
|

Status: PUBLISHED
Assigner: apache
Published:
Updated: 2025-01-22T14:49:46.312Z
Reserved: 2025-01-13T14:34:06.970Z
Link: CVE-2025-23195

Updated: 2025-01-21T23:02:43.302Z

Status : Analyzed
Published: 2025-01-21T22:15:12.863
Modified: 2025-06-09T19:36:09.710
Link: CVE-2025-23195

No data.

No data.