Hue 3.7.1 Local Privilege Escalation

Posted by Julian Horoszkiewicz on May 14

Title: Hue 3.7.1 Local Privilege Escalation
Author: Julian Horoszkiewicz
Description:
An issue with hue-root privilege separation model has been identified. The
reason for this is that /usr/lib/hue/build/env/bin/supervisor python script
is by default owned by user hue, but executed as root. That opens the way
for adding arbitrary commands to be executed as root if one has access to
hue user account.
The hue server itself runs with privileges of…

Leave a Reply