Description

Apache Ambari, version 2.5.0 to 2.6.2, passwords for Hadoop credential stores are exposed in Ambari Agent informational log messages when the credential store feature is enabled for eligible services. For example, Hive and Oozie.

Remediation

References

http://www.securityfocus.com/bid/104869

https://cwiki.apache.org/confluence/display/AMBARI/Ambari+Vulnerabilities#AmbariVulnerabilities-CVE-2018-8042

Related Vulnerabilities

CVE-2020-5403 Vulnerability in maven package io.projectreactor.netty:reactor-netty

CVE-2019-20365 Vulnerability in maven package org.igniterealtime.openfire:xmppserver

CVE-2019-1003078 Vulnerability in maven package org.jenkins-ci.plugins:labmanager

CVE-2018-1336 Vulnerability in maven package org.apache.tomcat:tomcat-util

CVE-2020-2230 Vulnerability in maven package org.jenkins-ci.main:jenkins-core

Severity

Critical

Classification

CWE-209 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Broken Link Vendor Advisory