Description
Cloudera HUE 3.9.0 and earlier allows remote attackers to enumerate user accounts via a request to desktop/api/users/autocomplete.
Recommendation
No fix is available yet. Followings are affected versions:
- <= 3.9.0
References
- GHSA-rxfp-8jmr-xc95
- 2016.hack.lu
- web.archive.org
- CVE-2016-4947
- CWE-200
- CAPEC-310
- OWASP 2021-A1
- OWASP 2021-A6
Related Issues
- Payload: Pre-Authentication Account Takeover via Parameter Injection in Password Recovery - CVE-2026-34751
- ApostropheCMS: User Enumeration via Timing Side Channel in Password Reset Endpoint - CVE-2026-33877
- StudioCMS REST getUsers Exposes Owner Account Records to Admin Tokens - CVE-2026-32638
- Parse Server: Account takeover via operator injection in authentication data identifier - CVE-2026-32248
You might also like:
- Tags:
- npm
- gethue
Anything's wrong? Let us know Last updated on November 07, 2023