[ https://issues.apache.org/jira/browse/AMBARI-24288?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
ASF GitHub Bot updated AMBARI-24288: ------------------------------------ Labels: cleanup pull-request-available (was: cleanup) > Remove org.apache.directory.api:api-ldap-model from Ambari server's > dependencies due to security concerns > --------------------------------------------------------------------------------------------------------- > > Key: AMBARI-24288 > URL: https://issues.apache.org/jira/browse/AMBARI-24288 > Project: Ambari > Issue Type: Bug > Components: ambari-server > Affects Versions: 2.0.0 > Reporter: Robert Levas > Assignee: Robert Levas > Priority: Major > Labels: cleanup, pull-request-available > Fix For: 2.7.1 > > > Remove {{org.apache.directory.api:api-ldap-model}} from Ambari server's > dependencies due to security concerns regarding the following CVE: > * CVE-2018-1337: Plaintext Password Disclosure in Secured Channel > See https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-1337 > Though Ambari server includes {{api-ldap-model-1.0.0.jar}} in > {{/usr/lib/ambari-server}}, the library is not used. Therefore, the > vulnerability is not exposed and the library may be excluded from Ambari's > package. -- This message was sent by Atlassian JIRA (v7.6.3#76005)