Apache Oozie is a workflow scheduler system to manage Apache Hadoop jobs.
The Apache Software Foundation
Oozie 3.1.3-incubating to Oozie 4.3.0
Vulnerability allows a user of Oozie to expose private files on the Oozie
server process. The malicious user can construct a workflow XML file
containing XML directives and configuration that reference sensitive files
on the Oozie server host.
Users should upgrade to Apache Oozie 4.3.1 release fromhttp://oozie.apache.org/
Users should use 5.0.0-beta1 release only for testing purposes and wait for
the 5.0.0 GA which will have the fix.
The issues were discovered by Daryn Sharp and Jason Lowe of Oath (formerly