CVE-2017-5646
First published: Fri May 26 2017(Updated: )
For versions of Apache Knox from 0.2.0 to 0.11.0 - an authenticated user may use a specially crafted URL to impersonate another user while accessing WebHDFS through Apache Knox. This may result in escalated privileges and unauthorized data access. While this activity is audit logged and can be easily associated with the authenticated user, this is still a serious security issue. All users are recommended to upgrade to the Apache Knox 0.12.0 release.
Credit: security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Apache Knox | =0.2.0 | |
| Apache Knox | =0.3.0 | |
| Apache Knox | =0.4.0 | |
| Apache Knox | =0.5.0 | |
| Apache Knox | =0.6.0 | |
| Apache Knox | =0.7.0 | |
| Apache Knox | =0.8.0 | |
| Apache Knox | =0.9.0 | |
| Apache Knox | =0.10.0 | |
| Apache Knox | =0.11.0 | |
| maven/org.apache.knox:gateway-provider-identity-assertion-common | >=0.2.0<0.12.0 | 0.12.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://mail-archives.apache.org/mod_mbox/knox-user/201705.mbox/%3CCACRbFyjtT7QQGHUzTRdbJoySbJb7tt4BDk5-r-VRn0GB0Kgvag%40mail.gmail.com%3E
- http://www.securityfocus.com/bid/98739
- https://lists.apache.org/thread.html/rcd6bcbcc08840d4e4bea661efe9a5ef8f6126ebbbc5bc266701d8f48@%3Cdev.logging.apache.org%3E
- https://nvd.nist.gov/vuln/detail/CVE-2017-5646
- https://github.com/apache/knox/commit/998dcd257dc839c9651485760da4d614c16e2ca2
- https://github.com/advisories/GHSA-g3fc-8jv4-qmmv (Advisory)
- https://lists.apache.org/thread.html/rcd6bcbcc08840d4e4bea661efe9a5ef8f6126ebbbc5bc266701d8f48%40%3Cdev.logging.apache.org%3E
Frequently Asked Questions
What is the severity of CVE-2017-5646?
CVE-2017-5646 is considered a high severity vulnerability due to its potential for escalated privileges and unauthorized data access.
How do I fix CVE-2017-5646?
To mitigate CVE-2017-5646, upgrade your Apache Knox installation to version 0.12.0 or later.
Who is affected by CVE-2017-5646?
Apache Knox versions from 0.2.0 to 0.11.0 are affected by CVE-2017-5646.
What type of attack is described by CVE-2017-5646?
CVE-2017-5646 describes an attack where an authenticated user can impersonate another user through a specially crafted URL.
What can be the consequences of CVE-2017-5646?
Exploitation of CVE-2017-5646 can lead to unauthorized access to sensitive data and privilege escalation.
- collector/nvd-index
- agent/type
- agent/first-publish-date
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-g3fc-8jv4-qmmv
- alias/CVE-2017-5646
- agent/software-canonical-lookup
- agent/weakness
- agent/last-modified-date
- agent/author
- agent/severity
- agent/softwarecombine
- agent/description
- agent/event
- collector/nvd-cve
- source/NVD
- agent/references
- agent/source
- agent/tags
- collector/github-advisory
- vendor/apache
- canonical/apache knox
- version/apache knox/0.2.0
- version/apache knox/0.3.0
- version/apache knox/0.4.0
- version/apache knox/0.5.0
- version/apache knox/0.6.0
- version/apache knox/0.7.0
- version/apache knox/0.8.0
- version/apache knox/0.9.0
- version/apache knox/0.10.0
- version/apache knox/0.11.0
- package-manager/maven