Cloudera Data Science Workbench Remote Command Execution and Information Disclosure Vulnerability

Summary

Remote code execution is possible in Cloudera Data Science Workbench version 1.3.0 and prior releases via unspecified attack vectors.

Credit:

The information has been provided by Vendor

The original article can be found at:

https://www.cloudera.com/documentation/other/security-bulletins/topics/Security-Bulletin.html


Details

A configuration issue in Kubernetes used by Cloudera Data Science Workbench can allow remote command execution and privilege escalation in CDSW. A separate information permissions issue can cause the LDAP bind password to be exposed to authenticated CDSW users when LDAP bind search is enabled.

Vulnerable Systems:

Cloudera Data Science Workbench

    CVE Information:
    CVE-2019-11215

    Disclosure Timeline:
    Publish Date:07/01/2019