Sorry, sent that one too soon. Example:

http://cxf.apache.org/security-advisories

Colm.

On Mon, May 29, 2017 at 10:42 AM, Colm O hEigeartaigh <[email protected]>
wrote:

> Hi Larry,
>
> We should get the CVEs uploaded to the website as well (apologies if it's
> already done + I missed it). For example:
>
>
> On Fri, May 26, 2017 at 7:26 PM, larry mccay <[email protected]> wrote:
>
>> CVE-2017-5646: Apache Knox Impersonation Issue for WebHDFS
>>
>> Severity: Important
>>
>> Vendor:
>> The Apache Software Foundation
>>
>> Versions Affected:
>>     All versions of Apache Knox prior to 0.12.0
>>
>> An authenticated user may use a specially crafted URL to impersonate
>> another
>> user while accessing WebHDFS through Apache Knox. This may result in
>> escalated
>> privileges and unauthorized data access. While this activity is audit
>> logged
>> and can be easily associated with the authenticated user, this is still a
>> serious security issue.
>>
>> Mitigation:
>>   All users are recommended to upgrade to Apache Knox 0.12.0,
>>   where validation, scrubbing and logging of such attempts has been added.
>>
>> The Apache Knox 0.12.0 release can be downloaded from:
>> Source: http://www.apache.org/dyn/closer.cgi/knox/0.12.0/knox-0.12.
>> 0-src.zip
>> Binary: http://www.apache.org/dyn/closer.cgi/knox/0.12.0/knox-0.12.0.zip
>>
>
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
>



-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

Reply via email to