Hi Larry,

We should get the CVEs uploaded to the website as well (apologies if it's
already done + I missed it). For example:


On Fri, May 26, 2017 at 7:26 PM, larry mccay <[email protected]> wrote:

> CVE-2017-5646: Apache Knox Impersonation Issue for WebHDFS
>
> Severity: Important
>
> Vendor:
> The Apache Software Foundation
>
> Versions Affected:
>     All versions of Apache Knox prior to 0.12.0
>
> An authenticated user may use a specially crafted URL to impersonate
> another
> user while accessing WebHDFS through Apache Knox. This may result in
> escalated
> privileges and unauthorized data access. While this activity is audit
> logged
> and can be easily associated with the authenticated user, this is still a
> serious security issue.
>
> Mitigation:
>   All users are recommended to upgrade to Apache Knox 0.12.0,
>   where validation, scrubbing and logging of such attempts has been added.
>
> The Apache Knox 0.12.0 release can be downloaded from:
> Source: http://www.apache.org/dyn/closer.cgi/knox/0.12.0/knox-0.
> 12.0-src.zip
> Binary: http://www.apache.org/dyn/closer.cgi/knox/0.12.0/knox-0.12.0.zip
>



-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

Reply via email to