Oozie local privilege escalation
CVE-2020-35451

4.7MEDIUM

Key Information:

Vendor: Apache
Status: Apache Oozie
Vendor: CVE Published:; 9 March 2021

Summary

There is a race condition in OozieSharelibCLI in Apache Oozie before version 5.2.1 which allows a malicious attacker to replace the files in Oozie's sharelib during it's creation.

Affected Version(s)

Apache Oozie < 5.2.1

References

https://lists.apache.org/thread.html/r8688debdb8b586aab3e...

x_refsource_MISC

https://lists.apache.org/thread.html/r8688debdb8b586aab3e...

mailing-listx_refsource_MLIST

http://www.openwall.com/lists/oss-security/2021/03/09/2

mailing-listx_refsource_MLIST

CVSS V3.1

Score:

4.7

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Local

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Mar 9, 2021
Vulnerability Reserved
Dec 14, 2020

Credit

The Apache Oozie PMC would like to thank Jonathan Leitschuh for reporting the issue