Cloudera Manager =< 5.5 is vulnerable to an access control issue allowing an unprivileged account to enumerate current active user sessions with the following GET request:
http://<cloudera_manager_IP>:7180/api/v11/users/sessions
It is worth mentioning that a user using the API wonβt appear in the βcurrently connectedβ user list.
The Cloudera CERT indicated that this vulnerability is fixed in version 5.8.
Moreover, Cloudera Manager =< 5.5 is vulnerable to an access control issue allowing an unprivileged user to enumerate registered users and their role with the following GET request:
http://<cloudera_manager_IP>:7180/api/v1/users