CVE-2025-23196

A code injection vulnerability exists in the Ambari Alert Definition feature, allowing authenticated users to inject and execute arbitrary shell commands. The vulnerability arises when defining alert scripts, where the script filename field is executed using `sh -c`. An attacker with authenticated access can exploit this vulnerability to inject malicious commands, leading to remote code execution on the server. The issue has been fixed in the latest versions of Ambari.

CVSS v3 8.8 HIGH

8.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://lists.apache.org/thread/70g1l5lxvko7kvhyxmtmklhhfrlon837	Vendor Advisory
http://www.openwall.com/lists/oss-security/2025/01/21/8	Mailing List Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:apache:ambari:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2025-01-21 22:15

Updated : 2025-06-09 19:42

NVD link : CVE-2025-23196

Mitre link : CVE-2025-23196

CVE.ORG link : CVE-2025-23196

JSON object : View

Products Affected

apache

ambari

CWE

CWE-77

Improper Neutralization of Special Elements used in a Command ('Command Injection')

{"id": "CVE-2025-23196", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2025-01-21T22:15:12.987", "references": [{"url": "https://lists.apache.org/thread/70g1l5lxvko7kvhyxmtmklhhfrlon837", "tags": ["Vendor Advisory"], "source": "[email protected]"}, {"url": "http://www.openwall.com/lists/oss-security/2025/01/21/8", "tags": ["Mailing List", "Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-77"}]}], "descriptions": [{"lang": "en", "value": "A code injection vulnerability exists in the Ambari Alert Definition \nfeature, allowing authenticated users to inject and execute arbitrary \nshell commands. The vulnerability arises when defining alert scripts, \nwhere the script filename field is executed using `sh -c`. An attacker \nwith authenticated access can exploit this vulnerability to inject \nmalicious commands, leading to remote code execution on the server. The \nissue has been fixed in the latest versions of Ambari."}, {"lang": "es", "value": "Existe una vulnerabilidad de inyecci\u00f3n de c\u00f3digo en la funci\u00f3n de definici\u00f3n de alertas de Ambari, que permite a los usuarios autenticados inyectar y ejecutar comandos de shell arbitrarios. La vulnerabilidad surge al definir la alerta scripts, donde el campo de nombre de archivo script se ejecuta utilizando `sh -c`. Un atacante con acceso autenticado puede aprovechar esta vulnerabilidad para inyectar comandos maliciosos, lo que lleva a la ejecuci\u00f3n remota de c\u00f3digo en el servidor. El problema se ha solucionado en las \u00faltimas versiones de Ambari."}], "lastModified": "2025-06-09T19:42:00.100", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:apache:ambari:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DAB94B88-4AAB-4690-8A00-DD223D72E8D4", "versionEndExcluding": "2.7.9"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}