{"id":"CVE-2018-11799","details":"Vulnerability allows a user of Apache Oozie 3.1.3-incubating to 5.0.0 to impersonate other users. The malicious user can construct an XML that results workflows running in other user's name.","aliases":["GHSA-wg5w-vv93-3f7w"],"modified":"2026-04-11T12:27:24.872527Z","published":"2018-12-19T20:29:00.230Z","references":[{"type":"WEB","url":"https://lists.apache.org/thread.html/347e7a8cb86014b7ca37e49eb00b8d088203bdc0bcfb4799f8e5955a%40%3Cuser.oozie.apache.org%3E"},{"type":"ADVISORY","url":"http://www.securityfocus.com/bid/106266"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/apache/oozie","events":[{"introduced":"4221dcfdb0d084c2e57c8216fc6145349b29aaa5"},{"fixed":"352b76ebc9f5c3f548275214f1a29078622ab830"},{"introduced":"0"},{"last_affected":"4221dcfdb0d084c2e57c8216fc6145349b29aaa5"}],"database_specific":{"versions":[{"introduced":"3.1.3"},{"fixed":"5.1.0"},{"introduced":"0"},{"last_affected":"3.1.3-incubating"}]}}],"versions":["release-3.1.3","release-5.0.0-beta1-rc0","release-5.1.0-rc0","release-5.1.0-rc1"],"database_specific":{"vanir_signatures_modified":"2026-04-11T12:27:24Z","source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-11799.json","vanir_signatures":[{"signature_type":"Function","source":"https://github.com/apache/oozie/commit/352b76ebc9f5c3f548275214f1a29078622ab830","target":{"function":"writeScript","file":"core/src/test/java/org/apache/oozie/action/hadoop/TestShellContentWriter.java"},"id":"CVE-2018-11799-02802386","signature_version":"v1","deprecated":false,"digest":{"length":302,"function_hash":"160194018468072020635403387757425004881"}},{"signature_type":"Function","source":"https://github.com/apache/oozie/commit/352b76ebc9f5c3f548275214f1a29078622ab830","target":{"function":"print","file":"sharelib/oozie/src/main/java/org/apache/oozie/action/hadoop/ShellContentWriter.java"},"id":"CVE-2018-11799-5bac1dbb","signature_version":"v1","deprecated":false,"digest":{"length":910,"function_hash":"168159148419434136421736128982621231734"}},{"signature_type":"Function","source":"https://github.com/apache/oozie/commit/352b76ebc9f5c3f548275214f1a29078622ab830","target":{"function":"testMissingFile","file":"core/src/test/java/org/apache/oozie/action/hadoop/TestShellContentWriter.java"},"id":"CVE-2018-11799-64ef7fed","signature_version":"v1","deprecated":false,"digest":{"length":244,"function_hash":"264970747429871551663195328184138576444"}},{"signature_type":"Line","source":"https://github.com/apache/oozie/commit/352b76ebc9f5c3f548275214f1a29078622ab830","target":{"file":"sharelib/oozie/src/main/java/org/apache/oozie/action/hadoop/ShellContentWriter.java"},"id":"CVE-2018-11799-abbe06b3","signature_version":"v1","deprecated":false,"digest":{"threshold":0.9,"line_hashes":["233246631065754539357421312588662251221","295776024517750380090261865488681407365","121819447314944507662208143820503064790","285572287153155005233481418733062534817","339882242034407000816010290823637190034","81546773024659273036053770065409482347","219824660516711567392605864520538268804","98145750593739261586556647153234746200","311910325282607174476351137980074695995","172651663341236152387988707400589771309","111095968980427487803250738284626427347","251002249673703171680416722390289030638","322546647638909165221269474226972646083","32461531651547481647097425522581667031","231685329752114104016313375756587344763","163687871603659082352807640796016531980"]}},{"signature_type":"Line","source":"https://github.com/apache/oozie/commit/352b76ebc9f5c3f548275214f1a29078622ab830","target":{"file":"core/src/test/java/org/apache/oozie/action/hadoop/TestShellContentWriter.java"},"id":"CVE-2018-11799-f2c973bc","signature_version":"v1","deprecated":false,"digest":{"threshold":0.9,"line_hashes":["325683535220765380623283808865366175738","66879726538751252127556043308924606450","151019593348407694783823277815940564864","309548290027564469889926410849180966533","269274197580082869728296277736494913415","54868532243595256360010527147784197970","84847430953750215999702358987251061699","12266625577712117940631813298745423004","197696845149513557048264785260584648519","199767383247030216428768509475147890840","178208865892233296082273662609781839066","28850267855991754428824947421678206287","252254792962867012099763021370565955881","270871632772676675570736611076465255434","227832253040215488018985448982172058458"]}}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"}]}