CVE-2017-5646: Apache Knox allows impersonation of users

May 13, 2022 (updated April 22, 2025)

For versions of Apache Knox from 0.2.0 to 0.11.0 - an authenticated user may use a specially crafted URL to impersonate another user while accessing WebHDFS through Apache Knox. This may result in escalated privileges and unauthorized data access. While this activity is audit logged and can be easily associated with the authenticated user, this is still a serious security issue. All users are recommended to upgrade to the Apache Knox 0.12.0 release.

References

github.com/advisories/GHSA-g3fc-8jv4-qmmv
github.com/apache/knox
github.com/apache/knox/commit/998dcd257dc839c9651485760da4d614c16e2ca2
lists.apache.org/thread.html/rcd6bcbcc08840d4e4bea661efe9a5ef8f6126ebbbc5bc266701d8f48@%3Cdev.logging.apache.org%3E
nvd.nist.gov/vuln/detail/CVE-2017-5646

Code Behaviors & Features

Detect and mitigate CVE-2017-5646 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →