CVE-2016-4947

Description

Cloudera HUE 3.9.0 and earlier allows remote attackers to enumerate user accounts via a request to `desktop/api/users/autocomplete`.

How to fix CVE-2016-4947

No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.

• npm/gethue—no fix listed

Is CVE-2016-4947 being exploited?

Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• from 0, <= 3.9.0

CVSS scores

References (4)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2016-4947
• PATCHgithub.com/cloudera/hue
• WEB2016.hack.lu/archive/2016/Wavestone%20-%20Hack.lu%202016%20-%20Hadoop%20safari%20-%20Hunting%20for%20vulnerabilities%20-%20v1.0.pdf
• WEBweb.archive.org/web/20210123183622/http://www.securityfocus.com/bid/93880