Multiple Apache Products Vulnerabilities

Severity

High

Analysis Summary

CVE-2025-23184 CVSS:5.9

Apache CXF is vulnerable to a denial of service when some CachedOutputStream instances are not be closed and, if backed by temporary files, may fill up the file system.

CVE-2024-51941 CVSS:8.8

A remote code injection vulnerability exists in the Ambari Metrics and AMS Alerts feature, allowing authenticated users to inject and execute arbitrary code. The vulnerability occurs when processing alert definitions, where malicious input can be injected into the alert script execution path. An attacker with authenticated access can exploit this vulnerability to execute arbitrary commands on the server. The issue has been fixed in the latest versions of Ambari.

CVE-2025-23196 CVSS:8.8

Apache Ambari could allow a remote authenticated attacker to execute arbitrary code on the system, caused by a code injection flaw in the Alert Definition feature.

CVE-2024-45478 CVSS:5.4

Stored XSS vulnerability in Edit Service Page of Apache Ranger UI in Apache Ranger Version 2.4.0. Users are recommended to upgrade to version Apache Ranger 2.5.0, which fixes this issue.

CVE-2025-23195 CVSS:8.2

An XML External Entity (XXE) vulnerability exists in the Ambari/Oozie project, allowing an attacker to inject malicious XML entities. This vulnerability occurs due to insecure parsing of XML input using the `DocumentBuilderFactory` class without disabling external entity resolution. An attacker can exploit this vulnerability to read arbitrary files on the server or perform server-side request forgery (SSRF) attacks. The issue has been fixed in both Ambari 2.7.9 and the trunk branch.

CVE-2024-45479 CVSS:6.5

SSRF vulnerability in Edit Service Page of Apache Ranger UI in Apache Ranger Version 2.4.0. Users are recommended to upgrade to version Apache Ranger 2.5.0, which fixes this issue.

Impact