Every CVE whose affected-product data names Apache Ambari, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (26)
CVE-2016-6807 — CVSS 9.8 (critical): Custom commands may be executed on Ambari Agent (2.4.x, before 2.4.2) hosts without authorization, leading to unauthorized access to…
CVE-2014-3582 — CVSS 9.8 (critical): In Ambari 1.2.0 through 2.2.2, it may be possible to execute arbitrary system commands on the Ambari Server host while generating SSL…
CVE-2017-5642 — CVSS 9.8 (critical): During installation of Ambari 2.4.0 through 2.4.2, Ambari Server artifacts are not created with proper ACLs.
CVE-2025-23196 — CVSS 8.8 (high): A code injection vulnerability exists in the Ambari Alert Definition feature, allowing authenticated users to inject and execute arbitrary…
CVE-2023-50379 — CVSS 8.8 (high): Malicious code injection in Apache Ambari in prior to 2.7.8. Users are recommended to upgrade to version 2.7.8, which fixes this issue…
CVE-2024-51941 — CVSS 8.8 (high): A remote code injection vulnerability exists in the Ambari Metrics and AMS Alerts feature, allowing authenticated users to inject and…
CVE-2018-8042 — CVSS 8.1 (high): Apache Ambari, version 2.5.0 to 2.6.2, passwords for Hadoop credential stores are exposed in Ambari Agent informational log messages when…
CVE-2022-42009 — CVSS 8.0 (high): SpringEL injection in the server agent in Apache Ambari version 2.7.0 to 2.7.6 allows a malicious authenticated user to execute arbitrary…
CVE-2022-45855 — CVSS 8.0 (high): SpringEL injection in the metrics source in Apache Ambari version 2.7.0 to 2.7.6 allows a malicious authenticated user to execute arbitrary…
CVE-2020-13924 — CVSS 7.5 (high): In Apache Ambari versions 2.6.2.2 and earlier, malicious users can construct file names for directory traversal and traverse to other…
CVE-2025-23195 — CVSS 7.5 (high): An XML External Entity (XXE) vulnerability exists in the Ambari/Oozie project, allowing an attacker to inject malicious XML entities. This…
CVE-2017-5654 — CVSS 7.5 (high): In Ambari 2.4.x (before 2.4.3) and Ambari 2.5.0, an authorized user of the Ambari Hive View may be able to gain unauthorized read access to…
CVE-2017-5655 — CVSS 6.5 (medium): In Ambari 2.2.2 through 2.4.2 and Ambari 2.5.0, sensitive data may be stored on disk in temporary files on the Ambari Server host. The…
CVE-2023-50380 — CVSS 6.5 (medium): XML External Entity injection in apache ambari versions <= 2.7.7, Users are recommended to upgrade to version 2.7.8, which fixes this…
CVE-2015-3270 — CVSS 6.5 (medium): Apache Ambari before 2.0.2 or 2.1.x before 2.1.1 allows remote authenticated users to gain administrative privileges via unspecified…
CVE-2020-1936 — CVSS 6.1 (medium): A cross-site scripting issue was found in Apache Ambari Views. This was addressed in Apache Ambari 2.7.4.
CVE-2023-50378 — CVSS 6.1 (medium): Lack of proper input validation and constraint enforcement in Apache Ambari prior to 2.7.8 Impact : As it will be stored XSS, Could be…
CVE-2015-5210 — CVSS 5.8 (medium): Open redirect vulnerability in Apache Ambari before 2.1.2 allows remote attackers to redirect users to arbitrary web sites and conduct…
CVE-2016-4976 — CVSS 5.5 (medium): Apache Ambari 2.x before 2.4.0 includes KDC administrator passwords on the kadmin command line, which allows local users to obtain…
CVE-2015-1775 — CVSS 5.5 (medium): Server-side request forgery (SSRF) vulnerability in the proxy endpoint (api/v1/proxy) in Apache Ambari before 2.1.0 allows remote…
CVE-2018-8003 — CVSS 5.3 (medium): Apache Ambari, versions 1.4.0 to 2.6.1, is susceptible to a directory traversal attack allowing an unauthenticated user to craft an HTTP…
CVE-2016-0731 — CVSS 4.9 (medium): The File Browser View in Apache Ambari before 2.2.1 allows remote authenticated administrators to read arbitrary files via a file: URL in…
CVE-2015-4928 — CVSS 4.3 (medium): Apache Ambari before 2.1, as used in IBM Infosphere BigInsights 4.x before 4.1, includes cleartext passwords on a Configs screen, which…
CVE-2015-3186 — CVSS 3.5 (low): Cross-site scripting (XSS) vulnerability in Apache Ambari before 2.1.0 allows remote authenticated cluster operator users to inject…
CVE-2016-0707 — CVSS 3.3 (low): The agent in Apache Ambari before 2.1.2 uses weak permissions for the (1) /var/lib/ambari-agent/data and (2) /var/lib/ambari-agent/keys…
CVE-2015-4940 — CVSS 2.1 (low): Apache Ambari before 2.1, as used in IBM Infosphere BigInsights 4.x before 4.1, stores a cleartext BigSheets password in a configuration…