CVE-2016-6807
CRITICALApache Ambari 2.4.0-2.4.1 - Unauthenticated Remote Code Execution via Custom Commands
Title source: llmDescription
Custom commands may be executed on Ambari Agent (2.4.x, before 2.4.2) hosts without authorization, leading to unauthorized access to operations that may affect the underlying system. Such operations are invoked by the Ambari Agent process on Ambari Agent hosts, as the user executing the Ambari Agent process.
References (2)
Core 2
Core References
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/97184
Release Notes, Vendor Advisory x_refsource_confirm
https://cwiki.apache.org/confluence/display/AMBARI/Ambari+Vulnerabilities#AmbariVulnerabilities-FixedinAmbari2.4.2
Scores
CVSS v3
9.8
EPSS
0.0084
EPSS Percentile
75.0%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-284
Status
published
Products (4)
apache/ambari
2.4.0
apache/ambari
2.4.1
Apache Software Foundation/Apache Ambari
2.4.x before 2.4.2
org.apache.ambari/ambari
2.4.0 - 2.4.2Maven
Published
Mar 28, 2017
Tracked Since
Feb 18, 2026