Login Sign Up

CVE-2020-13924

7.5 HIGH

📋 TL;DR

This directory traversal vulnerability in Apache Ambari allows malicious users to construct file names that escape intended directories, enabling unauthorized file downloads. It affects Apache Ambari versions 2.6.2.2 and earlier, potentially exposing sensitive configuration files and credentials.

💻 Affected Systems

Products:
  • Apache Ambari
Versions: 2.6.2.2 and earlier
Operating Systems: All operating systems running Apache Ambari
Default Config Vulnerable: ⚠️ Yes
Notes: All default configurations of affected versions are vulnerable if the Ambari web interface is accessible.

📦 What is this software?

Ambari by Apache

View all CVEs affecting Ambari →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers download sensitive files like configuration files, credentials, or private keys, leading to complete system compromise and data exfiltration.

🟠

Likely Case

Unauthorized access to configuration files containing service credentials, potentially enabling lateral movement within the Ambari-managed cluster.

🟢

If Mitigated

Limited impact if proper network segmentation and access controls prevent unauthorized users from reaching Ambari interfaces.

🌐 Internet-Facing: HIGH if Ambari web interface is exposed to the internet, as exploitation requires only web access.
🏢 Internal Only: MEDIUM for internal networks, as attackers would need internal access but exploitation is straightforward.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires authenticated access to Ambari, but the directory traversal technique is well-known and simple to implement.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apache Ambari 2.6.2.3 and later

Vendor Advisory: https://mail-archives.apache.org/mod_mbox/ambari-user/202102.mbox/%3CCAEJYuxEQZ_aPwJdAaSxPu-Dva%3Dhc7zZUx3-pzBORbd23g%2BGH1A%40mail.gmail.com%3E

Restart Required: Yes

Instructions:

1. Backup Ambari configuration and databases. 2. Upgrade to Ambari 2.6.2.3 or later following official upgrade procedures. 3. Restart Ambari services to apply the fix.

🔧 Temporary Workarounds

Network Access Restriction

linux

Restrict network access to Ambari web interface to trusted IP addresses only.

iptables -A INPUT -p tcp --dport 8080 -s TRUSTED_IP -j ACCEPT
iptables -A INPUT -p tcp --dport 8080 -j DROP

🧯 If You Can't Patch

  • Implement strict network segmentation to isolate Ambari servers from untrusted networks.
  • Apply web application firewall (WAF) rules to block directory traversal patterns in HTTP requests.

🔍 How to Verify

Check if Vulnerable:

Check Ambari version via 'ambari-server --version' or web interface. If version is 2.6.2.2 or earlier, system is vulnerable.

Check Version:

ambari-server --version

Verify Fix Applied:

After patching, verify version is 2.6.2.3 or later and test that directory traversal attempts are blocked.

📡 Detection & Monitoring

Log Indicators:

  • HTTP requests containing '../' or similar directory traversal patterns in Ambari access logs
  • Unusual file access patterns from Ambari web interface

Network Indicators:

  • HTTP requests with encoded directory traversal sequences (e.g., %2e%2e%2f)

SIEM Query:

source="ambari_access.log" AND (url="*../*" OR url="*..%2f*")

📊 Metadata

CVE ID: CVE-2020-13924
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE: CWE-22
Published: March 17, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-13924, you might also want to check these:

CVE-2024-43955 10.0

CVE-2024-43955 is an unauthenticated path traversal vulnerability in the Droip WordPress plugin that...

Same vulnerability type (CWE-22)
CVE-2025-54261 10.0

This critical path traversal vulnerability in Adobe ColdFusion allows attackers to escape restricted...

Same vulnerability type (CWE-22)
CVE-2024-40628 10.0

This critical vulnerability in JumpServer allows attackers to read arbitrary files from the Celery c...

Same vulnerability type (CWE-22)