Page tree
Skip to end of metadata
Go to start of metadata

Before reporting any security related JIRAs, please go through Apache's guidance for VULNERABILITY HANDLING

Fixed in Ranger 0.7.1


CVE-2017-7676: Apache Ranger policy evaluation ignores characters after ‘*’ wildcard character

Severity: Critical

Vendor: The Apache Software Foundation

Versions Affected: 0.5.x/0.6.x/0.7.0 versions of Apache Ranger

Users affected: Environments that use Ranger policies with characters after ‘*’ wildcard character – like my*test, test*.txt

Description: Policy resource matcher effectively ignores characters after ‘*’ wildcard character. This can result in affected policies to apply to resources where they should not be applied.

Fix detail: Ranger policy resource matcher was updated to correctly handle wildcard matches.

Mitigation: Users should upgrade to 0.7.1 or later version of Apache Ranger with the fix.


CVE-2017-7677: Apache Ranger Hive Authorizer should check for RWX permission when external location is specified

Severity: Critical

Vendor: The Apache Software Foundation

Versions Affected: 0.5.x/0.6.x/0.7.0 versions of Apache Ranger

Users affected: Environments that use external location for hive tables

Description: Without Ranger Hive Authorizer checking RWX permission when external location is specified, there is a possibility that right permissions are not required to create the table.

Fix detail: Ranger Hive Authorizer was updated to correctly handle permission check with external location.

Mitigation: Users should upgrade to 0.7.1 or later version of Apache Ranger with the fix.

Fixed in Ranger 0.6.3


CVE-2016-8746: Apache Ranger path matching issue in policy evaluation

Severity: Normal

Vendor: The Apache Software Foundation

Versions Affected: 0.6.0/0.6.1/0.6.2 versions of Apache Ranger

Users affected: All users of ranger policy admin tool

Description: Ranger policy engine incorrectly matches paths in certain conditions when policy does not contain wildcards and has recursion flag set to true.

Fix detail: Fixed policy evaluation logic.

Mitigation: Users should upgrade to 0.6.3 or later version of Apache Ranger with the fix.


CVE-2016-8751: Apache Ranger stored cross site scripting issue

Severity: Normal

Vendor: The Apache Software Foundation

Versions Affected: 0.5.x and 0.6.0/0.6.1/0.6.2 versions of Apache Ranger

Users affected: All users of ranger policy admin tool

Description: Apache Ranger was found to be vulnerable to a Stored Cross-Site Scripting in when entering custom policy conditions. Admin users can store some arbitrary javascript code to be executed when normal users login and access policies.

Fix detail: Added logic to sanitize the user input.

Mitigation: Users should upgrade to 0.6.3 or later version of Apache Ranger with the fix.

Fixed in Ranger 0.6.2


CVE-2016-6815: Apache Ranger user privilege vulnerability

Severity: Normal

Vendor: The Apache Software Foundation

Versions Affected: All 0.5.x versions or 0.6.0/0.6.1 versions of Apache Ranger

Users affected: All users of ranger policy admin tool

Description: Users with "keyadmin" role should not be allowed to change password for users with "admin" role.

Fix detail: Added logic to validate the user privilege in the backend.

Mitigation: Users should upgrade to 0.6.2 or later version of Apache Ranger with the fix.

Fixed in Ranger 0.6.1


CVE-2016-5395: Apache Ranger Stored Cross Site Scripting vulnerability

Severity: Normal

Vendor: The Apache Software Foundation

Versions Affected: All 0.5.x versions of Apache Ranger and version 0.6.0 

Users Affected: All users of ranger policy admin tool

Description: Apache Ranger was found to be vulnerable to a Stored Cross-Site Scripting in the create user functionality. Admin users can store some arbitrary javascript code to be executed when normal users login and access policies.

Fix details: Added logic to sanitize the user input

Mitigation: Users should upgrade to 0.6.1 or later version of Apache Ranger with the fix.

Credit: Thanks to Victor Hora from Securus Global for reporting this issue.

Fixed in Ranger 0.5.3


CVE-2016-2174: Apache Ranger sql injection vulnerability

Severity: Normal

Vendor: The Apache Software Foundation

Versions Affected: All versions of Apache Ranger from 0.5.0 (up to 0.5.3)

Users Affected: All admin users of ranger policy admin tool

Description: SQL Injection vulnerability in Audit > Access tab. When the user clicks an element from policyId row of the list, there is a call made underneath with eventTime parameter which contains the vulnerability. Admin users can send some arbitrary sql code to be executed along with eventTime parameter using /service/plugins/policies/eventTime url.

Fix details: Replaced native queries with JPA named queries

Mitigation: Users should upgrade to 0.5.3 version of Apache Ranger with the fix.

Credit: Thanks to Mateusz Olejarka from SecuRing for reporting this issue.

Fixed in Ranger 0.5.1


CVE-2015-5167: Restrict REST API data access for non-admin users

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected: 0.4.0 and 0.5.0 version of Apache Ranger

Users affected: All users of ranger policy admin tool

Description: Data access restrictions via REST API are not consistent with

restrictions in policy admin UI.

Mitigation: Users should upgrade to Ranger 0.5.1 version


CVE-2016-0733: Ranger Admin authentication issue

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected: 0.4.0 and 0.5.0 version of Apache Ranger

Users affected: All users of ranger policy admin tool

Description: Malicious Users can gain access to ranger admin UI without

proper authentication

Mitigation: Users should upgrade to Ranger 0.5.1 version


Fixed in Ranger 0.5.0


CVE-2015-0265: Apache Ranger code injection vulnerability

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected: 0.4.0 version of Apache Ranger

Users affected: All admin users of ranger policy admin tool

Description: Unauthorized users can send some javascript code to be executed in ranger policy admin tool admin sessions

Fix detail: Added logic to sanitize the user input

Mitigation: Users should upgrade to 0.5.0+ version of Apache Ranger with the fix

Credit: Thanks to Jakub Kałużny from SecuRing for reporting this issue


CVE-2015-0266: Apache Ranger direct url access vulnerability

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected: 0.4.0 version of Apache Ranger

Users affected: All users of ranger policy admin tool

Description: Regular users can type in the URL of modules that are accessible only to admin users

Fix detail: Added logic in the backend to verify user access 

Mitigation: Users should upgrade to 0.5.0+ version of Apache Ranger with the fix

Credit: Thanks to Jakub Kałużny from SecuRing for reporting this issue



  • No labels