Description

Apache Ambari, version 2.5.0 to 2.6.2, passwords for Hadoop credential stores are exposed in Ambari Agent informational log messages when the credential store feature is enabled for eligible services. For example, Hive and Oozie.

Remediation

References

https://cwiki.apache.org/confluence/display/AMBARI/Ambari+Vulnerabilities#AmbariVulnerabilities-CVE-2018-8042

http://www.securityfocus.com/bid/104869

Related Vulnerabilities

CVE-2014-3612 Vulnerability in maven package org.apache.activemq:activemq-core

CVE-2020-10686 Vulnerability in maven package org.keycloak:keycloak-model-jpa

CVE-2019-1003053 Vulnerability in maven package org.jenkins-ci.plugins:hockeyapp

CVE-2021-21141 Vulnerability in maven package org.webjars.npm:electron

CVE-2020-2269 Vulnerability in maven package org.jenkins-ci.plugins:chosen-views-tabbar

Severity

Critical

Classification

CWE-209 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Vendor Advisory Broken Link