Azure HDInsight privilege escalation and DoS vulnerabilities

Published Tue, Feb 6th, 2024


Three privilege escalation and denial-of-service vulnerabilities were discovered in Azure HDinsight, related to their usage of Apache Oozie and Ambari. The root cause of at least one of these vulnerabilities is a flaw in Apache Oozie itself, leading to regex denial-of-service (ReDoS). The other two vulnerabilities could allow an authenticated attacker with HDI cluster access to gain cluster administrator privileges and perform any resource service management operation. The vulnerabilities were patched in the October 2023 security update of Azure HDinsight.

Affected Services



Update to HDInsight image 2308221128 or 2310140056.

Tracked CVEs

CVE-2023-36419, CVE-2023-38156


Disclosure Date
Exploitablity Period
Known ITW Exploitation
Detection Methods
Piercing Index Rating
Discovered by
Lidor Ben Shitrit, Orca Security