Before reporting any security related JIRAs, please go through Apache's guidance for VULNERABILITY HANDLING

Please see Lock down Apache Ranger for production deployments

Fixed in Ranger 2.0.0


CVE-2019-12397: Apache Ranger cross site scripting issue

Severity: Normal

Vendor: The Apache Software Foundation

Versions Affected: 0.7.0 to 1.2.0 versions of Apache Ranger, prior to 2.0.0

Users affected: All users of ranger policy admin tool

Description: Apache Ranger was found to be vulnerable to a Cross-Site Scripting in policy import functionality. 

Fix detail: Added logic to sanitize the user input.

Mitigation: Users should upgrade to 2.0.0 or later version of Apache Ranger with the fix.

Credit: Jan Kaszycki from STM Solutions

Fixed in Ranger 1.2.0


CVE-2018-11778: Apache Ranger Stack based buffer overflow

Severity: Critical

Vendor: The Apache Software Foundation

Versions Affected: Apache Ranger versions prior to 1.2.0

Users affected: Unix Authentication Service users

Description: Apache Ranger UnixAuthenticationService should properly handle user input to avoid Stack-based buffer overflow.

Fix detail: UnixAuthenticationService was updated to correctly handle user input.

Mitigation: Users should upgrade to 1.2.0 or later version of Apache Ranger with the fix.

Credit: Alexander Klink.

Fixed in Ranger 0.7.1


CVE-2017-7676: Apache Ranger policy evaluation ignores characters after ‘*’ wildcard character

Severity: Critical

Vendor: The Apache Software Foundation

Versions Affected: 0.6.x/0.7.0 versions of Apache Ranger

Users affected: Environments that use Ranger policies with characters after ‘*’ wildcard character – like my*test, test*.txt

Description: Policy resource matcher effectively ignores characters after ‘*’ wildcard character. This can result in affected policies to apply to resources where they should not be applied.

Fix detail: Ranger policy resource matcher was updated to correctly handle wildcard matches.

Mitigation: Users should upgrade to 0.7.1 or later version of Apache Ranger with the fix.


CVE-2017-7677: Apache Ranger Hive Authorizer should check for RWX permission when external location is specified

Severity: Critical

Vendor: The Apache Software Foundation

Versions Affected: 0.5.x/0.6.x/0.7.0 versions of Apache Ranger

Users affected: Environments that use external location for hive tables

Description: Without Ranger Hive Authorizer checking RWX permission when external location is specified, there is a possibility that right permissions are not required to create the table.

Fix detail: Ranger Hive Authorizer was updated to correctly handle permission check with external location.

Mitigation: Users should upgrade to 0.7.1 or later version of Apache Ranger with the fix.

Fixed in Ranger 0.6.3


CVE-2016-8746: Apache Ranger path matching issue in policy evaluation

Severity: Normal

Vendor: The Apache Software Foundation

Versions Affected: 0.6.0/0.6.1/0.6.2 versions of Apache Ranger

Users affected: All users of ranger policy admin tool

Description: Ranger policy engine incorrectly matches paths in certain conditions when policy does not contain wildcards and has recursion flag set to true.

Fix detail: Fixed policy evaluation logic.

Mitigation: Users should upgrade to 0.6.3 or later version of Apache Ranger with the fix.


CVE-2016-8751: Apache Ranger stored cross site scripting issue

Severity: Normal

Vendor: The Apache Software Foundation

Versions Affected: 0.5.x and 0.6.0/0.6.1/0.6.2 versions of Apache Ranger

Users affected: All users of ranger policy admin tool

Description: Apache Ranger was found to be vulnerable to a Stored Cross-Site Scripting in when entering custom policy conditions. Admin users can store some arbitrary javascript code to be executed when normal users login and access policies.

Fix detail: Added logic to sanitize the user input.

Mitigation: Users should upgrade to 0.6.3 or later version of Apache Ranger with the fix.

Fixed in Ranger 0.6.2


CVE-2016-6815: Apache Ranger user privilege vulnerability

Severity: Normal

Vendor: The Apache Software Foundation

Versions Affected: All 0.5.x versions or 0.6.0/0.6.1 versions of Apache Ranger

Users affected: All users of ranger policy admin tool

Description: Users with "keyadmin" role should not be allowed to change password for users with "admin" role.

Fix detail: Added logic to validate the user privilege in the backend.

Mitigation: Users should upgrade to 0.6.2 or later version of Apache Ranger with the fix.

Fixed in Ranger 0.6.1


CVE-2016-5395: Apache Ranger Stored Cross Site Scripting vulnerability

Severity: Normal

Vendor: The Apache Software Foundation

Versions Affected: All 0.5.x versions of Apache Ranger and version 0.6.0 

Users Affected: All users of ranger policy admin tool

Description: Apache Ranger was found to be vulnerable to a Stored Cross-Site Scripting in the create user functionality. Admin users can store some arbitrary javascript code to be executed when normal users login and access policies.

Fix details: Added logic to sanitize the user input

Mitigation: Users should upgrade to 0.6.1 or later version of Apache Ranger with the fix.

Credit: Thanks to Victor Hora from Securus Global for reporting this issue.

Fixed in Ranger 0.5.3


CVE-2016-2174: Apache Ranger sql injection vulnerability

Severity: Normal

Vendor: The Apache Software Foundation

Versions Affected: All versions of Apache Ranger from 0.5.0 (up to 0.5.3)

Users Affected: All admin users of ranger policy admin tool

Description: SQL Injection vulnerability in Audit > Access tab. When the user clicks an element from policyId row of the list, there is a call made underneath with eventTime parameter which contains the vulnerability. Admin users can send some arbitrary sql code to be executed along with eventTime parameter using /service/plugins/policies/eventTime url.

Fix details: Replaced native queries with JPA named queries

Mitigation: Users should upgrade to 0.5.3 version of Apache Ranger with the fix.

Credit: Thanks to Mateusz Olejarka from SecuRing for reporting this issue.

Fixed in Ranger 0.5.1


CVE-2015-5167: Restrict REST API data access for non-admin users

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected: 0.4.0 and 0.5.0 version of Apache Ranger

Users affected: All users of ranger policy admin tool

Description: Data access restrictions via REST API are not consistent with

restrictions in policy admin UI.

Mitigation: Users should upgrade to Ranger 0.5.1 version


CVE-2016-0733: Ranger Admin authentication issue

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected: 0.4.0 and 0.5.0 version of Apache Ranger

Users affected: All users of ranger policy admin tool

Description: Malicious Users can gain access to ranger admin UI without

proper authentication

Mitigation: Users should upgrade to Ranger 0.5.1 version


Fixed in Ranger 0.5.0


CVE-2015-0265: Apache Ranger code injection vulnerability

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected: 0.4.0 version of Apache Ranger

Users affected: All admin users of ranger policy admin tool

Description: Unauthorized users can send some javascript code to be executed in ranger policy admin tool admin sessions

Fix detail: Added logic to sanitize the user input

Mitigation: Users should upgrade to 0.5.0+ version of Apache Ranger with the fix

Credit: Thanks to Jakub Kałużny from SecuRing for reporting this issue


CVE-2015-0266: Apache Ranger direct url access vulnerability

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected: 0.4.0 version of Apache Ranger

Users affected: All users of ranger policy admin tool

Description: Regular users can type in the URL of modules that are accessible only to admin users

Fix detail: Added logic in the backend to verify user access 

Mitigation: Users should upgrade to 0.5.0+ version of Apache Ranger with the fix

Credit: Thanks to Jakub Kałużny from SecuRing for reporting this issue