CVE-2023-38156: Azure HDInsight Apache Ambari JDBC Injection Elevation of Privilege Vulnerability

Overview

Severity

High (CVSS 7.2)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

Category

Elevation of Privilege

Exploit Status

Not Exploited

Exploitation Likelihood

Less Likely

Patch Tuesday

2023-Sep

Released

2023-09-12

Last Updated

2023-11-30

EPSS Score

0.32% (percentile: 54.8%)

FAQ

How could an attacker exploit this vulnerability? An authenticated attacker with access to the target HDI cluster could send a specially crafted network request to create and assign themselves as a Cluster Administrator. Cluster Administrators can read/write/delete and perform all resource service management operations. What privileges could be gained by an attacker who successfully exploited the vulnerability? An attacker who successfully exploited this vulnerability could gain cluster administrator privileges.

Affected Products (1)

Azure

• Azure HDInsight

Security Updates (1)

• Release Notes

Acknowledgments

Lidor B. with Orca Security

Revision History

• 2023-09-12: Information published.
• 2023-09-13: Updated FAQ information. This is an informational change only.
• 2023-11-30: Updated CVE title. This is an informational change only.