March 9, 2025
Proactive Defense: The Importance of Incident Response Planning in Cybersecurity
Multiple Oracle Products Vulnerabilities
January 22, 2025Multiple Microsoft Windows Vulnerabilities
January 22, 2025Multiple Oracle Products Vulnerabilities
January 22, 2025Multiple Microsoft Windows Vulnerabilities
January 22, 2025
Severity
High
Analysis Summary
CVE-2025-23184 CVSS:5.9
Apache CXF is vulnerable to a denial of service when some CachedOutputStream instances are not be closed and, if backed by temporary files, may fill up the file system.
CVE-2024-51941 CVSS:8.8
A remote code injection vulnerability exists in the Ambari Metrics and AMS Alerts feature, allowing authenticated users to inject and execute arbitrary code. The vulnerability occurs when processing alert definitions, where malicious input can be injected into the alert script execution path. An attacker with authenticated access can exploit this vulnerability to execute arbitrary commands on the server. The issue has been fixed in the latest versions of Ambari.
CVE-2025-23196 CVSS:8.8
Apache Ambari could allow a remote authenticated attacker to execute arbitrary code on the system, caused by a code injection flaw in the Alert Definition feature.
CVE-2024-45478 CVSS:5.4
Stored XSS vulnerability in Edit Service Page of Apache Ranger UI in Apache Ranger Version 2.4.0. Users are recommended to upgrade to version Apache Ranger 2.5.0, which fixes this issue.
CVE-2025-23195 CVSS:8.2
An XML External Entity (XXE) vulnerability exists in the Ambari/Oozie project, allowing an attacker to inject malicious XML entities. This vulnerability occurs due to insecure parsing of XML input using the `DocumentBuilderFactory` class without disabling external entity resolution. An attacker can exploit this vulnerability to read arbitrary files on the server or perform server-side request forgery (SSRF) attacks. The issue has been fixed in both Ambari 2.7.9 and the trunk branch.
CVE-2024-45479 CVSS:6.5
SSRF vulnerability in Edit Service Page of Apache Ranger UI in Apache Ranger Version 2.4.0. Users are recommended to upgrade to version Apache Ranger 2.5.0, which fixes this issue.
Impact
- Denial of Service
- Gain Access
- Code Execution
- Cross-Site Scripting
- Information Disclosure
Indicators of Compromise
CVE
CVE-2025-23184
CVE-2024-51941
CVE-2025-23196
CVE-2024-45478
CVE-2025-23195
CVE-2024-45479
Affected Vendors
Apache
Affected Products
- Apache CXF - 3.6.0
- Apache CXF - 4.0.0
- Apache CXF - 3.5.9
- Apache CXF - 3.6.4
- Apache Ambari - 2.7.8
- Apache Ranger - 2.4.0
Remediation
Refer to Apache Website for patch, upgrade, or suggested workaround information.