Remote Access Vulnerability in Cloudera Navigator Key Trustee KMS
CVE-2018-6185

4.9MEDIUM

Key Information:

Vendor: Cloudera
Status: Cloudera Manager; Navigator Key Trustee Kms
Vendor: CVE Published:; 7 June 2019

What is CVE-2018-6185?

In Cloudera's Navigator Key Trustee KMS versions 5.12 and 5.13, default ACL settings are misconfigured, permitting unauthorized remote access to sensitive API calls. Specifically, the purge and undelete commands for encryption zone keys are exposed due to a default ACL value set to '*'. This flaw allows any user with an understanding of the encryption key's name and network access to perform purge or undelete operations, leading to potential data loss or unauthorized recovery of deleted keys in a Hadoop Distributed File System (HDFS). Users are advised to review and modify ACL settings to safeguard against such vulnerabilities.

References

https://www.cloudera.com

x_refsource_MISC

https://www.cloudera.com/documentation/other/security-bul...

x_refsource_CONFIRM

CVSS V3.1

Score:

4.9

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 7, 2019
Vulnerability Reserved
Jan 24, 2018