Cloudera Manager < 4.8.3 / 5.x < 5.0.1 Information Disclosure

medium Nessus Plugin ID 76260

Synopsis

The remote web server hosts an application that is affected by an information disclosure vulnerability.

Description

The version of Cloudera Manager running on the remote host is prior to 4.8.3 or else 5.x prior to 5.0.1. It is, therefore, affected by an information disclosure vulnerability because the API fails to properly restrict access to sensitive data by non-administrator users. A low privilege user can utilize this flaw to access sensitive configuration values that should only be accessible to users with administrative privileges.

Solution

Upgrade to Cloudera Manager version 4.8.3 / 5.0.1 or later.

See Also

http://www.nessus.org/u?b1d4a81a

http://www.nessus.org/u?945ec805

http://www.nessus.org/u?1257c4c6

Plugin Details

Severity: Medium

ID: 76260

File Name: cloudera_manager_4_8_3.nasl

Version: 1.6

Type: remote

Family: CGI abuses

Published: 6/26/2014

Updated: 1/19/2021

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Low

Score: 2.5

CVSS v2

Risk Factor: Medium

Base Score: 4

Temporal Score: 3

Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:N/A:N

Vulnerability Information

CPE: cpe:/a:cloudera:cloudera_manager

Required KB Items: installed_sw/Cloudera Manager

Exploit Ease: No known exploits are available

Patch Publication Date: 6/13/2014

Vulnerability Publication Date: 6/5/2014

Reference Information

CVE: CVE-2014-0220

BID: 67912