Skip to main content

Ambari

19 CVEs product

Monthly

CVE-2025-23196 HIGH This Month

A code injection vulnerability exists in the Ambari Alert Definition feature, allowing authenticated users to inject and execute arbitrary shell commands. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Command Injection Ambari
NVD
CVSS 3.1
8.8
EPSS
1.2%
CVE-2025-23195 HIGH This Month

An XML External Entity (XXE) vulnerability exists in the Ambari/Oozie project, allowing an attacker to inject malicious XML entities. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE SSRF Ambari
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2024-51941 HIGH This Month

A remote code injection vulnerability exists in the Ambari Metrics and AMS Alerts feature, allowing authenticated users to inject and execute arbitrary code. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Code Injection Ambari
NVD
CVSS 3.1
8.8
EPSS
1.1%
CVE-2018-8042 HIGH This Week

Apache Ambari, version 2.5.0 to 2.6.2, passwords for Hadoop credential stores are exposed in Ambari Agent informational log messages when the credential store feature is enabled for eligible. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Apache Information Disclosure Ambari
NVD
CVSS 3.0
8.1
EPSS
1.8%
CVE-2018-8003 MEDIUM This Month

Apache Ambari, versions 1.4.0 to 2.6.1, is susceptible to a directory traversal attack allowing an unauthenticated user to craft an HTTP request which provides read-only access to any file on the. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Path Traversal Ambari
NVD
CVSS 3.0
5.3
EPSS
4.4%
CVE-2017-5655 MEDIUM This Month

In Ambari 2.2.2 through 2.4.2 and Ambari 2.5.0, sensitive data may be stored on disk in temporary files on the Ambari Server host. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Ambari
NVD
CVSS 3.0
6.5
EPSS
0.1%
CVE-2017-5654 HIGH This Week

In Ambari 2.4.x (before 2.4.3) and Ambari 2.5.0, an authorized user of the Ambari Hive View may be able to gain unauthorized read access to files on the host where the Ambari server executes. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Ambari
NVD
CVSS 3.0
7.5
EPSS
0.9%
CVE-2017-5642 CRITICAL Act Now

During installation of Ambari 2.4.0 through 2.4.2, Ambari Server artifacts are not created with proper ACLs. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Privilege Escalation Ambari
NVD
CVSS 3.0
9.8
EPSS
0.8%
CVE-2016-4976 Maven MEDIUM PATCH This Month

Apache Ambari 2.x before 2.4.0 includes KDC administrator passwords on the kadmin command line, which allows local users to obtain sensitive information via a process listing. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Apache Information Disclosure Ambari
NVD
CVSS 3.0
5.5
EPSS
0.1%
CVE-2014-3582 CRITICAL Act Now

In Ambari 1.2.0 through 2.2.2, it may be possible to execute arbitrary system commands on the Ambari Server host while generating SSL certificates for hosts in an Ambari cluster. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Code Injection Ambari
NVD
CVSS 3.0
9.8
EPSS
0.3%
CVE-2016-6807 Maven CRITICAL PATCH Act Now

Custom commands may be executed on Ambari Agent (2.4.x, before 2.4.2) hosts without authorization, leading to unauthorized access to operations that may affect the underlying system. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Authentication Bypass Ambari
NVD
CVSS 3.0
9.8
EPSS
0.8%
CVE-2016-0731 MEDIUM This Month

The File Browser View in Apache Ambari before 2.2.1 allows remote authenticated administrators to read arbitrary files via a file: URL in the WebHDFS URL configuration. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Authentication Bypass Ambari
NVD
CVSS 3.0
4.9
EPSS
0.2%
CVE-2016-0707 LOW Monitor

The agent in Apache Ambari before 2.1.2 uses weak permissions for the (1) /var/lib/ambari-agent/data and (2) /var/lib/ambari-agent/keys directories, which allows local users to obtain sensitive. Rated low severity (CVSS 3.3), this vulnerability is low attack complexity. No vendor patch available.

Privilege Escalation Apache Ambari
NVD
CVSS 3.0
3.3
EPSS
0.1%
CVE-2015-4940 LOW Monitor

Apache Ambari before 2.1, as used in IBM Infosphere BigInsights 4.x before 4.1, stores a cleartext BigSheets password in a configuration file, which allows local users to obtain sensitive information. Rated low severity (CVSS 2.1), this vulnerability is low attack complexity. No vendor patch available.

IBM Information Disclosure Apache Ambari
NVD
CVSS 2.0
2.1
EPSS
0.1%
CVE-2015-4928 MEDIUM This Month

Apache Ambari before 2.1, as used in IBM Infosphere BigInsights 4.x before 4.1, includes cleartext passwords on a Configs screen, which allows physically proximate attackers to obtain sensitive. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. No vendor patch available.

IBM Information Disclosure Apache Ambari
NVD
CVSS 2.0
4.3
EPSS
0.9%
CVE-2015-5210 Maven MEDIUM PATCH This Month

Open redirect vulnerability in Apache Ambari before 2.1.2 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the targetURI parameter. Rated medium severity (CVSS 5.8), this vulnerability is remotely exploitable.

Open Redirect Apache Ambari
NVD
CVSS 2.0
5.8
EPSS
1.0%
CVE-2015-3270 MEDIUM This Month

Apache Ambari before 2.0.2 or 2.1.x before 2.1.1 allows remote authenticated users to gain administrative privileges via unspecified vectors, possibly related to changing passwords. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation Apache Ambari
NVD
CVSS 2.0
6.5
EPSS
0.8%
CVE-2015-3186 LOW Monitor

Cross-site scripting (XSS) vulnerability in Apache Ambari before 2.1.0 allows remote authenticated cluster operator users to inject arbitrary web script or HTML via the note field in a configuration. Rated low severity (CVSS 3.5), this vulnerability is remotely exploitable. No vendor patch available.

XSS Apache Ambari
NVD
CVSS 2.0
3.5
EPSS
0.2%
CVE-2015-1775 Maven MEDIUM PATCH This Month

Server-side request forgery (SSRF) vulnerability in the proxy endpoint (api/v1/proxy) in Apache Ambari before 2.1.0 allows remote authenticated users to conduct port scans and access unsecured. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, low attack complexity.

SSRF Apache Ambari
NVD
CVSS 2.0
5.5
EPSS
0.2%
EPSS 1% CVSS 8.8
HIGH This Month

A code injection vulnerability exists in the Ambari Alert Definition feature, allowing authenticated users to inject and execute arbitrary shell commands. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Command Injection Ambari
NVD
EPSS 0% CVSS 7.5
HIGH This Month

An XML External Entity (XXE) vulnerability exists in the Ambari/Oozie project, allowing an attacker to inject malicious XML entities. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE SSRF Ambari
NVD
EPSS 1% CVSS 8.8
HIGH This Month

A remote code injection vulnerability exists in the Ambari Metrics and AMS Alerts feature, allowing authenticated users to inject and execute arbitrary code. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Code Injection Ambari
NVD
EPSS 2% CVSS 8.1
HIGH This Week

Apache Ambari, version 2.5.0 to 2.6.2, passwords for Hadoop credential stores are exposed in Ambari Agent informational log messages when the credential store feature is enabled for eligible. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Apache Information Disclosure Ambari
NVD
EPSS 4% CVSS 5.3
MEDIUM This Month

Apache Ambari, versions 1.4.0 to 2.6.1, is susceptible to a directory traversal attack allowing an unauthenticated user to craft an HTTP request which provides read-only access to any file on the. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Path Traversal Ambari
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

In Ambari 2.2.2 through 2.4.2 and Ambari 2.5.0, sensitive data may be stored on disk in temporary files on the Ambari Server host. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Ambari
NVD
EPSS 1% CVSS 7.5
HIGH This Week

In Ambari 2.4.x (before 2.4.3) and Ambari 2.5.0, an authorized user of the Ambari Hive View may be able to gain unauthorized read access to files on the host where the Ambari server executes. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Ambari
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

During installation of Ambari 2.4.0 through 2.4.2, Ambari Server artifacts are not created with proper ACLs. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Privilege Escalation Ambari
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Apache Ambari 2.x before 2.4.0 includes KDC administrator passwords on the kadmin command line, which allows local users to obtain sensitive information via a process listing. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Apache Information Disclosure Ambari
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

In Ambari 1.2.0 through 2.2.2, it may be possible to execute arbitrary system commands on the Ambari Server host while generating SSL certificates for hosts in an Ambari cluster. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Code Injection Ambari
NVD
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

Custom commands may be executed on Ambari Agent (2.4.x, before 2.4.2) hosts without authorization, leading to unauthorized access to operations that may affect the underlying system. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Authentication Bypass Ambari
NVD
EPSS 0% CVSS 4.9
MEDIUM This Month

The File Browser View in Apache Ambari before 2.2.1 allows remote authenticated administrators to read arbitrary files via a file: URL in the WebHDFS URL configuration. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Authentication Bypass Ambari
NVD
EPSS 0% CVSS 3.3
LOW Monitor

The agent in Apache Ambari before 2.1.2 uses weak permissions for the (1) /var/lib/ambari-agent/data and (2) /var/lib/ambari-agent/keys directories, which allows local users to obtain sensitive. Rated low severity (CVSS 3.3), this vulnerability is low attack complexity. No vendor patch available.

Privilege Escalation Apache Ambari
NVD
EPSS 0% CVSS 2.1
LOW Monitor

Apache Ambari before 2.1, as used in IBM Infosphere BigInsights 4.x before 4.1, stores a cleartext BigSheets password in a configuration file, which allows local users to obtain sensitive information. Rated low severity (CVSS 2.1), this vulnerability is low attack complexity. No vendor patch available.

IBM Information Disclosure Apache +1
NVD
EPSS 1% CVSS 4.3
MEDIUM This Month

Apache Ambari before 2.1, as used in IBM Infosphere BigInsights 4.x before 4.1, includes cleartext passwords on a Configs screen, which allows physically proximate attackers to obtain sensitive. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. No vendor patch available.

IBM Information Disclosure Apache +1
NVD
EPSS 1% CVSS 5.8
MEDIUM PATCH This Month

Open redirect vulnerability in Apache Ambari before 2.1.2 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the targetURI parameter. Rated medium severity (CVSS 5.8), this vulnerability is remotely exploitable.

Open Redirect Apache Ambari
NVD
EPSS 1% CVSS 6.5
MEDIUM This Month

Apache Ambari before 2.0.2 or 2.1.x before 2.1.1 allows remote authenticated users to gain administrative privileges via unspecified vectors, possibly related to changing passwords. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation Apache Ambari
NVD
EPSS 0% CVSS 3.5
LOW Monitor

Cross-site scripting (XSS) vulnerability in Apache Ambari before 2.1.0 allows remote authenticated cluster operator users to inject arbitrary web script or HTML via the note field in a configuration. Rated low severity (CVSS 3.5), this vulnerability is remotely exploitable. No vendor patch available.

XSS Apache Ambari
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Server-side request forgery (SSRF) vulnerability in the proxy endpoint (api/v1/proxy) in Apache Ambari before 2.1.0 allows remote authenticated users to conduct port scans and access unsecured. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, low attack complexity.

SSRF Apache Ambari
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy