Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.



Before reporting any security related JIRAs, please go through Apache's guidance for VULNERABILITY HANDLING

Please see Lock down Apache Ranger for production deployments

Fixed in Ranger 2.0.0


CVE-2019-12397: Apache Ranger cross site scripting issue

Severity: Normal

Vendor: The Apache Software Foundation

Versions Affected: 0.7.0 to 1.2.0 versions of Apache Ranger, prior to 2.0.0

Users affected: All users of ranger policy admin tool

Description: Apache Ranger was found to be vulnerable to a Cross-Site Scripting in policy import functionality. 

Fix detail: Added logic to sanitize the user input.

Mitigation: Users should upgrade to 2.0.0 or later version of Apache Ranger with the fix.

Credit: Jan Kaszycki from STM Solutions

Fixed in Ranger 1.2.0


CVE-2018-11778: Apache Ranger Stack based buffer overflow