CVE-2025-23195
Published: 21 January 2025
Description
An XML External Entity (XXE) vulnerability exists in the Ambari/Oozie project, allowing an attacker to inject malicious XML entities. This vulnerability occurs due to insecure parsing of XML input using the `DocumentBuilderFactory` class without disabling external entity resolution. An attacker can exploit this vulnerability to read arbitrary files on the server or perform server-side request forgery (SSRF) attacks. The issue has been fixed in both Ambari 2.7.9 and the trunk branch.
Security Summary
CVE-2025-23195 is an XML External Entity (XXE) vulnerability, classified under CWE-611, in the Apache Ambari/Oozie project. The flaw arises from insecure XML parsing using the DocumentBuilderFactory class without disabling external entity resolution, enabling attackers to inject malicious XML entities. It affects versions of Ambari prior to 2.7.9, with the issue resolved in Ambari 2.7.9 and the trunk branch. The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact.
Remote attackers without authentication or user interaction can exploit this vulnerability over the network by submitting crafted XML input to affected endpoints in Ambari/Oozie. Successful exploitation allows arbitrary file reads on the server, potentially exposing sensitive configuration files, credentials, or system data, or enables server-side request forgery (SSRF) to interact with internal services.
Apache advisories, detailed in the provided references including the Apache mailing list announcement and oss-security posting, confirm the fix in Ambari 2.7.9 and the trunk branch. Security practitioners should upgrade to these patched versions and review XML parsing configurations to ensure external entity processing is explicitly disabled using secure DocumentBuilderFactory settings.
Details
- CWE(s)