CVE-2025-23195
Published: 21 January 2025
Summary
CVE-2025-23195 is a high-severity Improper Restriction of XML External Entity Reference (CWE-611) vulnerability in Apache Ambari. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 49.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-10 directly prevents XXE exploitation by requiring validation of XML inputs to block malicious external entity injection.
SI-2 mandates identification and correction of flaws like this insecure XML parsing vulnerability through timely patching to Ambari 2.7.9.
CM-6 enforces secure configuration settings for XML parsers, such as disabling external entity resolution in DocumentBuilderFactory.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
XXE in public-facing Ambari/Oozie app enables remote unauthenticated exploitation (T1190); arbitrary file reads directly facilitate local system data access (T1005).
NVD Description
An XML External Entity (XXE) vulnerability exists in the Ambari/Oozie project, allowing an attacker to inject malicious XML entities. This vulnerability occurs due to insecure parsing of XML input using the `DocumentBuilderFactory` class without disabling external entity resolution. An attacker…
more
can exploit this vulnerability to read arbitrary files on the server or perform server-side request forgery (SSRF) attacks. The issue has been fixed in both Ambari 2.7.9 and the trunk branch.
Deeper analysisAI
CVE-2025-23195 is an XML External Entity (XXE) vulnerability, classified under CWE-611, in the Apache Ambari/Oozie project. The flaw arises from insecure XML parsing using the DocumentBuilderFactory class without disabling external entity resolution, enabling attackers to inject malicious XML entities. It affects versions of Ambari prior to 2.7.9, with the issue resolved in Ambari 2.7.9 and the trunk branch. The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact.
Remote attackers without authentication or user interaction can exploit this vulnerability over the network by submitting crafted XML input to affected endpoints in Ambari/Oozie. Successful exploitation allows arbitrary file reads on the server, potentially exposing sensitive configuration files, credentials, or system data, or enables server-side request forgery (SSRF) to interact with internal services.
Apache advisories, detailed in the provided references including the Apache mailing list announcement and oss-security posting, confirm the fix in Ambari 2.7.9 and the trunk branch. Security practitioners should upgrade to these patched versions and review XML parsing configurations to ensure external entity processing is explicitly disabled using secure DocumentBuilderFactory settings.
Details
- CWE(s)