{"schema_version": "1.6.1", "id": "CVE-2025-23195", "summary": "XML External Entity (XXE) Vulnerability in Ambari/Oozie", "details": "An XML External Entity (XXE) vulnerability exists in the Ambari/Oozie \nproject, allowing an attacker to inject malicious XML entities. This \nvulnerability occurs due to insecure parsing of XML input using the \n`DocumentBuilderFactory` class without disabling external entity \nresolution. An attacker can exploit this vulnerability to read arbitrary\n files on the server or perform server-side request forgery (SSRF) \nattacks. The issue has been fixed in both Ambari 2.7.9 and the trunk \nbranch.", "affected": [{"ranges": [{"type": "SEMVER", "events": [{"introduced": "0"}, {"fixed": "2.7.9"}]}]}], "references": [{"type": "WEB", "url": "https://lists.apache.org/thread/hsb6mvxd7g37dq1ygtd0pd88gs9tfcwq"}]}