CVE-2022-45855 HIGH

CVE-2022-45855: Apache Ambari: Allows authenticated metrics consumers to perform RCE

Vendor Apache Software Foundation

Product Apache Ambari

Weakness CWE-917

Published July 12, 2023

Last update October 4, 2024

View on NVD All CVEs

CVSS base score

8.0/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction Required

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

What the vulnerability does

Description

SpringEL injection in the metrics source in Apache Ambari version 2.7.0 to 2.7.6 allows a malicious authenticated user to execute arbitrary code remotely. Users are recommended to upgrade to 2.7.7.

Key dates

Disclosure timeline

July 12, 2023 CVE published

October 4, 2024 Record updated

Identifiers

CVE CVE-2022-45855

CWE CWE-917

CVSS 8.0 / HIGH

Affected versions

Vendor Apache Software Foundation

Product Apache Ambari

Affected ≥ 2.7.0 and ≤ 2.7.6