Sure, we can cherry-pick.. will do thanks. From: Jialiang Cai <jialiangca...@gmail.com> Date: Saturday, March 2, 2024 at 11:29 To: user@ambari.apache.org <user@ambari.apache.org> Subject: Re: CVE-2023-50378: Apache Ambari: Various XSS problems Which issue addresses this vulnerability? Can it be merged into 2.8?
> On Mar 1, 2024, at 22:31, Brahma Reddy Battula <bra...@apache.org> wrote: > > Severity: important > > Affected versions: > > - Apache Ambari 2.7.0 through 2.7.7 > > Description: > > Lack of proper input validation and constraint enforcement in Apache Ambari > prior to 2.7.8 > > Impact : As it will be stored XSS, Could be exploited to perform > unauthorized actions, varying from data access to session hijacking and > delivering malicious payloads. > > Users are recommended to upgrade to version 2.7.8 which fixes this issue. > > References: > > https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fambari.apache.org%2F&data=05%7C02%7Cbbattula%40visa.com%7Cbc54d2286f774d608bc208dc3a7dee7d%7C38305e12e15d4ee888b9c4db1c477d76%7C0%7C0%7C638449559765437620%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=pL04majM3AgTxlFq6lprx%2F5jnHb720JuRZbwR%2BoWSu0%3D&reserved=0<https://ambari.apache.org/> > https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.cve.org%2FCVERecord%3Fid%3DCVE-2023-50378&data=05%7C02%7Cbbattula%40visa.com%7Cbc54d2286f774d608bc208dc3a7dee7d%7C38305e12e15d4ee888b9c4db1c477d76%7C0%7C0%7C638449559765445463%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=iTguZwLx1py3cgwc3hwvHKe3W1YZ9T9qQPjdpBgHpTo%3D&reserved=0<https://www.cve.org/CVERecord?id=CVE-2023-50378> > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: user-unsubscr...@ambari.apache.org > For additional commands, e-mail: user-h...@ambari.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscr...@ambari.apache.org For additional commands, e-mail: user-h...@ambari.apache.org
