CVE-2023-36419: Azure HDInsight Apache Oozie Workflow Scheduler XXE Elevation of Privilege Vulnerability

Overview

Severity

High (CVSS 8.8)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

Category

Elevation of Privilege

Exploit Status

Not Exploited

Exploitation Likelihood

Less Likely

Patch Tuesday

2023-Oct

Released

2023-10-10

Last Updated

2023-11-30

EPSS Score

0.68% (percentile: 71.6%)

FAQ

What privileges could be gained by an attacker who successfully exploited the vulnerability? An attacker who successfully exploited this vulnerability could gain cluster administrator privileges. What action is required to secure my resources against this vulnerability? A script action has been made available to assist customers with updating their resources as required which can be found here: CVE-2023-36419 Script Action

Affected Products (1)

Azure

• Azure HDInsight

Security Updates (1)

• Release Notes

Acknowledgments

Lidor B. with Orca Security

Revision History

• 2023-10-10: Information published.
• 2023-11-30: Updated CVE title. This is an informational change only.