CVE-2025-23196
Published: 21 January 2025
Description
A code injection vulnerability exists in the Ambari Alert Definition feature, allowing authenticated users to inject and execute arbitrary shell commands. The vulnerability arises when defining alert scripts, where the script filename field is executed using `sh -c`. An attacker with authenticated access can exploit this vulnerability to inject malicious commands, leading to remote code execution on the server. The issue has been fixed in the latest versions of Ambari.
Security Summary
CVE-2025-23196 is a code injection vulnerability (CWE-77) in the Ambari Alert Definition feature of Apache Ambari. It occurs when defining alert scripts, as the script filename field is executed using `sh -c`, enabling authenticated users to inject arbitrary shell commands. This flaw leads to remote code execution on the Ambari server and carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). The vulnerability was published on 2025-01-21.
An authenticated attacker with low privileges (PR:L) can exploit this remotely over the network with low complexity and no user interaction required. By crafting a malicious script filename, the attacker injects and executes arbitrary shell commands via the `sh -c` invocation, achieving full remote code execution on the server with high impacts to confidentiality, integrity, and availability.
The vulnerability has been fixed in the latest versions of Ambari, as stated in the advisory. Additional details are available in the Apache mailing list announcement at https://lists.apache.org/thread/70g1l5lxvko7kvhyxmtmklhhfrlon837 and the OSS-Security mailing list at http://www.openwall.com/lists/oss-security/2025/01/21/8.
Details
- CWE(s)