DUE TO SPAM, SIGN-UP IS DISABLED. Goto Selfserve wiki signup and request an account.
Before reporting any security related JIRAs, please go through Apache's guidance for VULNERABILITY HANDLING
Please see Lock down Apache Ranger for production deployments
Fixed in Ranger 2.6.0
CVE-2024-55532: Improper Neutralization of Formula Elements in a CSV File in Export to CSV feature of Apache Ranger
Severity: Low
Vendor: The Apache Software Foundation
Versions Affected: Apache Ranger versions prior to 2.6.0
Users affected: All users of ranger policy admin tool
Description: Improper Neutralization issue in Export to CSV functionality.
Fix detail: Added logic to properly sanitize the exported content.
Mitigation: Users should upgrade to 2.6.0 or later version of Apache Ranger with the fix.
Credit: 김도균 (a2256014@naver.com)
Fixed in Ranger 2.5.0
CVE-2024-45478: Stored XSS vulnerability in Edit Service Page of Apache Ranger UI
Severity: Moderate
Vendor: The Apache Software Foundation
Versions Affected: Apache Ranger versions prior to 2.5.0
Users affected: All users of ranger policy admin tool UI
Description: Apache Ranger was found to be vulnerable to a Stored XSS issue in Edit Service functionality.
Fix detail: Added logic to validate the user input.
Mitigation: Users should upgrade to 2.5.0 or later version of Apache Ranger with the fix.
Credit: Gyujin
CVE-2024-45479: SSRF vulnerability in Edit Service Page of Apache Ranger UI
Severity: Moderate
Vendor: The Apache Software Foundation
Versions Affected: Apache Ranger versions prior to 2.5.0
Users affected: All users of ranger policy admin tool UI
Description: Apache Ranger was found to be vulnerable to a SSRF issue in Edit Service functionality.
Fix detail: Added logic to validate the user input.
Mitigation: Users should upgrade to 2.5.0 or later version of Apache Ranger with the fix.
Credit: Gyujin
Fixed in Ranger 2.0.0
CVE-2019-12397: Apache Ranger cross site scripting issue
Severity: Normal
Vendor: The Apache Software Foundation
Versions Affected: 0.7.0 to 1.2.0 versions of Apache Ranger, prior to 2.0.0
Users affected: All users of ranger policy admin tool
Description: Apache Ranger was found to be vulnerable to a Cross-Site Scripting in policy import functionality.
Fix detail: Added logic to sanitize the user input.
Mitigation: Users should upgrade to 2.0.0 or later version of Apache Ranger with the fix.
Credit: Jan Kaszycki from STM Solutions
Fixed in Ranger 1.2.0
CVE-2018-11778: Apache Ranger Stack based buffer overflow
Severity: Critical
Vendor: The Apache Software Foundation
Versions Affected: Apache Ranger versions prior to 1.2.0
Users affected: Unix Authentication Service users
Description: Apache Ranger UnixAuthenticationService should properly handle user input to avoid Stack-based buffer overflow.
Fix detail: UnixAuthenticationService was updated to correctly handle user input.
Mitigation: Users should upgrade to 1.2.0 or later version of Apache Ranger with the fix.
Credit: Alexander Klink.
Fixed in Ranger 0.7.1
CVE-2017-7676: Apache Ranger policy evaluation ignores characters after ‘*’ wildcard character
Severity: Critical
Vendor: The Apache Software Foundation
Versions Affected: 0.6.x/0.7.0 versions of Apache Ranger
Users affected: Environments that use Ranger policies with characters after ‘*’ wildcard character – like my*test, test*.txt
Description: Policy resource matcher effectively ignores characters after ‘*’ wildcard character. This can result in affected policies to apply to resources where they should not be applied.
Fix detail: Ranger policy resource matcher was updated to correctly handle wildcard matches.
Mitigation: Users should upgrade to 0.7.1 or later version of Apache Ranger with the fix.
CVE-2017-7677: Apache Ranger Hive Authorizer should check for RWX permission when external location is specified
Severity: Critical
Vendor: The Apache Software Foundation
Versions Affected: 0.5.x/0.6.x/0.7.0 versions of Apache Ranger
Users affected: Environments that use external location for hive tables
Description: Without Ranger Hive Authorizer checking RWX permission when external location is specified, there is a possibility that right permissions are not required to create the table.
Fix detail: Ranger Hive Authorizer was updated to correctly handle permission check with external location.
Mitigation: Users should upgrade to 0.7.1 or later version of Apache Ranger with the fix.
Fixed in Ranger 0.6.3
CVE-2016-8746: Apache Ranger path matching issue in policy evaluation
Severity: Normal
Vendor: The Apache Software Foundation
Versions Affected: 0.6.0/0.6.1/0.6.2 versions of Apache Ranger
Users affected: All users of ranger policy admin tool
Description: Ranger policy engine incorrectly matches paths in certain conditions when policy does not contain wildcards and has recursion flag set to true.
Fix detail: Fixed policy evaluation logic.
Mitigation: Users should upgrade to 0.6.3 or later version of Apache Ranger with the fix.
CVE-2016-8751: Apache Ranger stored cross site scripting issue
Severity: Normal
Vendor: The Apache Software Foundation
Versions Affected: 0.5.x and 0.6.0/0.6.1/0.6.2 versions of Apache Ranger
Users affected: All users of ranger policy admin tool
Description: Apache Ranger was found to be vulnerable to a Stored Cross-Site Scripting in when entering custom policy conditions. Admin users can store some arbitrary javascript code to be executed when normal users login and access policies.
Fix detail: Added logic to sanitize the user input.
Mitigation: Users should upgrade to 0.6.3 or later version of Apache Ranger with the fix.
Fixed in Ranger 0.6.2
CVE-2016-6815: Apache Ranger user privilege vulnerability
Severity: Normal
Vendor: The Apache Software Foundation
Versions Affected: All 0.5.x versions or 0.6.0/0.6.1 versions of Apache Ranger
Users affected: All users of ranger policy admin tool
Description: Users with "keyadmin" role should not be allowed to change password for users with "admin" role.
Fix detail: Added logic to validate the user privilege in the backend.
Mitigation: Users should upgrade to 0.6.2 or later version of Apache Ranger with the fix.
Fixed in Ranger 0.6.1
CVE-2016-5395: Apache Ranger Stored Cross Site Scripting vulnerability
Severity: Normal
Vendor: The Apache Software Foundation
Versions Affected: All 0.5.x versions of Apache Ranger and version 0.6.0
Users Affected: All users of ranger policy admin tool
Description: Apache Ranger was found to be vulnerable to a Stored Cross-Site Scripting in the create user functionality. Admin users can store some arbitrary javascript code to be executed when normal users login and access policies.
Fix details: Added logic to sanitize the user input
Mitigation: Users should upgrade to 0.6.1 or later version of Apache Ranger with the fix.
Credit: Thanks to Victor Hora from Securus Global for reporting this issue.
Fixed in Ranger 0.5.3
CVE-2016-2174: Apache Ranger sql injection vulnerability
Severity: Normal
Vendor: The Apache Software Foundation
Versions Affected: All versions of Apache Ranger from 0.5.0 (up to 0.5.3)
Users Affected: All admin users of ranger policy admin tool
Description: SQL Injection vulnerability in Audit > Access tab. When the user clicks an element from policyId row of the list, there is a call made underneath with eventTime parameter which contains the vulnerability. Admin users can send some arbitrary sql code to be executed along with eventTime parameter using /service/plugins/policies/eventTime url.
Fix details: Replaced native queries with JPA named queries
Mitigation: Users should upgrade to 0.5.3 version of Apache Ranger with the fix.
Credit: Thanks to Mateusz Olejarka from SecuRing for reporting this issue.
Fixed in Ranger 0.5.1
CVE-2015-5167: Restrict REST API data access for non-admin users
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected: 0.4.0 and 0.5.0 version of Apache Ranger
Users affected: All users of ranger policy admin tool
Description: Data access restrictions via REST API are not consistent with
restrictions in policy admin UI.
Mitigation: Users should upgrade to Ranger 0.5.1 version
CVE-2016-0733: Ranger Admin authentication issue
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected: 0.4.0 and 0.5.0 version of Apache Ranger
Users affected: All users of ranger policy admin tool
Description: Malicious Users can gain access to ranger admin UI without
proper authentication
Mitigation: Users should upgrade to Ranger 0.5.1 version
Fixed in Ranger 0.5.0
CVE-2015-0265: Apache Ranger code injection vulnerability
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected: 0.4.0 version of Apache Ranger
Users affected: All admin users of ranger policy admin tool
Description: Unauthorized users can send some javascript code to be executed in ranger policy admin tool admin sessions
Fix detail: Added logic to sanitize the user input
Mitigation: Users should upgrade to 0.5.0+ version of Apache Ranger with the fix
Credit: Thanks to Jakub Kałużny from SecuRing for reporting this issue
CVE-2015-0266: Apache Ranger direct url access vulnerability
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected: 0.4.0 version of Apache Ranger
Users affected: All users of ranger policy admin tool
Description: Regular users can type in the URL of modules that are accessible only to admin users
Fix detail: Added logic in the backend to verify user access
Mitigation: Users should upgrade to 0.5.0+ version of Apache Ranger with the fix
Credit: Thanks to Jakub Kałużny from SecuRing for reporting this issue