SecurityvulnsSECURITYVULNS:DOC:30810Details for CVE-2014-0220
Technical Service Bulletin 2014-28 (TSB)
Title: Security Vulnerability: Sensitive Configuration Values Exposed in
Cloudera Manager
Certain configuration values that are stored in Cloudera Manager are
considered 'sensitive', such as database passwords. These configuration
values are expected to be inaccessible to non-admin users, and this is
enforced in the Cloudera Manager Admin Console. However, these
configuration values are not redacted when reading them through the API,
possibly making them accessible to users who should not have such access.
Products affected: Cloudera Manager
Releases affected: Cloudera Manager 4.8.2 and lower, Cloudera Manager 5.0.0
Users Affected: Cloudera Manager installations with non-admin users
Date/time of detection: May 7, 2014
Severity: High
Impact: Through the API only, non-admin users can access potentially
sensitive configuration information
CVE: CVE-2014-0220
Immediate action required:
See the following knowledge base article:
Security Vulnerability: Sensitive Configuration Values Exposed in Cloudera
Manager
ETA for resolution: May 13, 2014
Addressed in release/refresh/patch: Cloudera Manager 4.8.3 and 5.0.1
Related
