Cyber Resilience

CVE-2025-23195

High

Published: 21 January 2025

Published
21 January 2025
Modified
09 June 2025
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0025 48.5th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-23195 is a high-severity Improper Restriction of XML External Entity Reference (CWE-611) vulnerability in Apache Ambari. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 48.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2025-23195 is an XML External Entity (XXE) vulnerability, classified under CWE-611, in the Apache Ambari/Oozie project. The flaw arises from insecure XML parsing using the DocumentBuilderFactory class without disabling external entity resolution, enabling attackers to inject malicious XML entities. It affects versions of Ambari prior to 2.7.9, with the issue resolved in Ambari 2.7.9 and the trunk branch. The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact.

Remote attackers without authentication or user interaction can exploit this vulnerability over the network by submitting crafted XML input to affected endpoints in Ambari/Oozie. Successful exploitation allows arbitrary file reads on the server, potentially exposing sensitive configuration files, credentials, or system data, or enables server-side request forgery (SSRF) to interact with internal services.

Apache advisories, detailed in the provided references including the Apache mailing list announcement and oss-security posting, confirm the fix in Ambari 2.7.9 and the trunk branch. Security practitioners should upgrade to these patched versions and review XML parsing configurations to ensure external entity processing is explicitly disabled using secure DocumentBuilderFactory settings.

EU & UK References

Vulnerability details

An XML External Entity (XXE) vulnerability exists in the Ambari/Oozie project, allowing an attacker to inject malicious XML entities. This vulnerability occurs due to insecure parsing of XML input using the `DocumentBuilderFactory` class without disabling external entity resolution. An attacker…

more

can exploit this vulnerability to read arbitrary files on the server or perform server-side request forgery (SSRF) attacks. The issue has been fixed in both Ambari 2.7.9 and the trunk branch.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
Why these techniques?

XXE in public-facing Ambari/Oozie app enables remote unauthenticated exploitation (T1190); arbitrary file reads directly facilitate local system data access (T1005).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-23196Same product: Apache Ambari
CVE-2024-51941Same product: Apache Ambari
CVE-2025-68493Same vendor: Apache
CVE-2025-66516Same vendor: Apache
CVE-2026-40682Same vendor: Apache
CVE-2026-24308Same vendor: Apache
CVE-2025-50151Same vendor: Apache
CVE-2025-29847Same vendor: Apache
CVE-2025-27553Same vendor: Apache
CVE-2026-24735Same vendor: Apache

Affected Assets

apache
ambari
≤ 2.7.9

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-10 directly prevents XXE exploitation by requiring validation of XML inputs to block malicious external entity injection.

prevent

SI-2 mandates identification and correction of flaws like this insecure XML parsing vulnerability through timely patching to Ambari 2.7.9.

prevent

CM-6 enforces secure configuration settings for XML parsers, such as disabling external entity resolution in DocumentBuilderFactory.

References