This page contains a list of security vulnerabilities that have been found in Apache Ranger. For each vulnerability, the following information is provided:
| CVE-2024-55532 | Improper Neutralization of Formula Elements in a CSV File in Export to CSV feature of Apache Ranger |
|---|---|
| Severity | Low |
| Vendor | The Apache Software Foundation |
| Versions Affected | Apache Ranger versions prior to 2.6.0 |
| Users affected | All users of ranger policy admin tool |
| Description | Improper Neutralization issue in Export to CSV functionality |
| Fix detail | Added logic to properly sanitize the exported content |
| Mitigation | Users should upgrade to 2.6.0 or later version of Apache Ranger with the fix |
| Credit | 김도균 (a2256014@naver.com) |
| CVE-2024-45478 | Stored XSS vulnerability in Edit Service Page of Apache Ranger UI |
|---|---|
| Severity | Moderate |
| Vendor | The Apache Software Foundation |
| Versions Affected | Apache Ranger versions prior to 2.5.0 |
| Users affected | All users of ranger policy admin tool UI |
| Description | Apache Ranger was found to be vulnerable to a Stored XSS issue in Edit Service functionality |
| Fix detail | Added logic to validate the user input |
| Mitigation | Users should upgrade to 2.5.0 or later version of Apache Ranger with the fix |
| Credit | Gyujin |
| CVE-2024-45479 | SSRF vulnerability in Edit Service Page of Apache Ranger UI |
|---|---|
| Severity | Moderate |
| Vendor | The Apache Software Foundation |
| Versions Affected | Apache Ranger versions prior to 2.5.0 |
| Users affected | All users of ranger policy admin tool UI |
| Description | Apache Ranger was found to be vulnerable to a SSRF issue in Edit Service functionality |
| Fix detail | Added logic to validate the user input |
| Mitigation | Users should upgrade to 2.5.0 or later version of Apache Ranger with the fix |
| Credit | Gyujin |
| CVE-2019-12397 | Apache Ranger cross site scripting issue |
|---|---|
| Vendor | The Apache Software Foundation |
| Versions Affected | 0.7.0 to 1.2.0 versions of Apache Ranger, prior to 2.0.0 |
| Users affected | All users of ranger policy admin tool |
| Description | Apache Ranger was found to be vulnerable to a Cross-Site Scripting in policy import functionality |
| Fix detail | Added logic to sanitize the user input |
| Mitigation | Users should upgrade to 2.0.0 or later version of Apache Ranger with the fix |
| Credit | Jan Kaszycki from STM Solutions |
| CVE-2018-11778 | Apache Ranger Stack based buffer overflow |
|---|---|
| Severity | Critical |
| Vendor | The Apache Software Foundation |
| Versions Affected | Apache Ranger versions prior to 1.2.0 |
| Users affected | Unix Authentication Service users |
| Description | Apache Ranger UnixAuthenticationService should properly handle user input to avoid Stack-based buffer overflow |
| Fix detail | UnixAuthenticationService was updated to correctly handle user input |
| Mitigation | Users should upgrade to 1.2.0 or later version of Apache Ranger with the fix |
| Credit | Alexander Klink |
| CVE-2017-7676 | Apache Ranger policy evaluation ignores characters after ‘*’ wildcard character |
|---|---|
| Severity | Critical |
| Vendor | The Apache Software Foundation |
| Versions Affected | 0.6.x/0.7.0 versions of Apache Ranger |
| Users affected | Environments that use Ranger policies with characters after \‘*\’ wildcard character – like my*test, test*.txt |
| Description | Policy resource matcher effectively ignores characters after \‘*\’ wildcard character. This can result in affected policies to apply to resources where they should not be applied |
| Fix detail | Ranger policy resource matcher was updated to correctly handle wildcard matches. |
| Mitigation | Users should upgrade to 0.7.1 or later version of Apache Ranger with the fix |
| CVE-2017-7677 | Apache Ranger Hive Authorizer should check for RWX permission when external location is specified |
|---|---|
| Severity | Critical |
| Vendor | The Apache Software Foundation |
| Versions Affected | 0.5.x/0.6.x/0.7.0 versions of Apache Ranger |
| Users affected | Environments that use external location for hive tables |
| Description | Without Ranger Hive Authorizer checking RWX permission when external location is specified, there is a possibility that right permissions are not required to create the table |
| Fix detail | Ranger Hive Authorizer was updated to correctly handle permission check with external location |
| Mitigation | Users should upgrade to 0.7.1 or later version of Apache Ranger with the fix |
| CVE-2016-8746 | Apache Ranger path matching issue in policy evaluation |
|---|---|
| Severity | Normal |
| Vendor | The Apache Software Foundation |
| Versions Affected | 0.6.0/0.6.1/0.6.2 versions of Apache Ranger |
| Users affected | All users of ranger policy admin tool |
| Description | Ranger policy engine incorrectly matches paths in certain conditions when policy does not contain wildcards and has recursion flag set to true |
| Fix detail | Fixed policy evaluation logic |
| Mitigation | Users should upgrade to 0.6.3 or later version of Apache Ranger with the fix |
| CVE-2016-8751 | Apache Ranger stored cross site scripting issue |
|---|---|
| Severity | Normal |
| Vendor | The Apache Software Foundation |
| Versions Affected | 0.5.x and 0.6.0/0.6.1/0.6.2 versions of Apache Ranger |
| Users affected | All users of ranger policy admin tool |
| Description | Apache Ranger was found to be vulnerable to a Stored Cross-Site Scripting in when entering custom policy conditions. Admin users can store some arbitrary javascript code to be executed when normal users login and access policies |
| Fix detail | Added logic to sanitize the user input |
| Mitigation | Users should upgrade to 0.6.3 or later version of Apache Ranger with the fix |
| CVE-2016-6815 | Apache Ranger user privilege vulnerability |
|---|---|
| Severity | Normal |
| Vendor | The Apache Software Foundation |
| Versions Affected | All 0.5.x versions or 0.6.0/0.6.1 versions of Apache Ranger |
| Users affected | All users of ranger policy admin tool |
| Description | Users with “keyadmin” role should not be allowed to change password for users with admin role |
| Fix detail | Added logic to validate the user privilege in the backend |
| Mitigation | Users should upgrade to 0.6.2 or later version of Apache Ranger with the fix |
| CVE-2016-5395 | Apache Ranger Stored Cross Site Scripting vulnerability |
|---|---|
| Severity | Normal |
| Vendor | The Apache Software Foundation |
| Versions Affected | All 0.5.x versions of Apache Ranger and version 0.6.0 |
| Users affected | All users of ranger policy admin tool |
| Description | Apache Ranger was found to be vulnerable to a Stored Cross-Site Scripting in the create user functionality. Admin users can store some arbitrary javascript code to be executed when normal users login and access policies |
| Fix detail | Added logic to sanitize the user input |
| Mitigation | Users should upgrade to 0.6.1 or later version of Apache Ranger with the fix |
| Credit | Thanks to Victor Hora from Securus Global for reporting this issue |
| CVE-2016-2174 | Apache Ranger sql injection vulnerability |
|---|---|
| Severity | Normal |
| Vendor | The Apache Software Foundation |
| Versions Affected | All versions of Apache Ranger from 0.5.0 (up to 0.5.3) |
| Users affected | All admin users of ranger policy admin tool |
| Description | SQL Injection vulnerability in Audit > Access tab. When the user clicks an element from policyId row of the list, there is a call made underneath with eventTime parameter which contains the vulnerability. Admin users can send some arbitrary sql code to be executed along with eventTime parameter using /service/plugins/policies/eventTime url |
| Fix detail | Replaced native queries with JPA named queries |
| Mitigation | Users should upgrade to 0.5.3 version of Apache Ranger with the fix |
| Credit | Thanks to Mateusz Olejarka from SecuRing for reporting this issue |
| CVE-2015-5167 | Restrict REST API data access for non-admin users |
|---|---|
| Severity | Important |
| Vendor | The Apache Software Foundation |
| Versions Affected | 0.4.0 and 0.5.0 version of Apache Ranger |
| Users affected | All users of ranger policy admin tool |
| Description | Data access restrictions via REST API are not consistent with restrictions in policy admin UI |
| Mitigation | Users should upgrade to Ranger 0.5.1 version |
| CVE-2016-0733 | Ranger Admin authentication issue |
|---|---|
| Severity | Important |
| Vendor | The Apache Software Foundation |
| Versions Affected | 0.4.0 and 0.5.0 version of Apache Ranger |
| Users affected | All users of ranger policy admin tool |
| Description | Malicious Users can gain access to ranger admin UI without proper authentication |
| Mitigation | Users should upgrade to Ranger 0.5.1 version |
| CVE-2015-0265 | Apache Ranger code injection vulnerability |
|---|---|
| Severity | Important |
| Vendor | The Apache Software Foundation |
| Versions Affected | 0.4.0 version of Apache Ranger |
| Users affected | All admin users of ranger policy admin tool |
| Description | Unauthorized users can send some javascript code to be executed in ranger policy admin tool admin sessions |
| Fix detail | Added logic to sanitize the user input |
| Mitigation | Users should upgrade to 0.5.0+ version of Apache Ranger with the fix |
| Credit | Thanks to Jakub Kałużny from SecuRing for reporting this issue |
| CVE-2015-0266 | Apache Ranger direct url access vulnerability |
|---|---|
| Severity | Important |
| Vendor | The Apache Software Foundation |
| Versions Affected | 0.4.0 version of Apache Ranger |
| Users affected | All users of ranger policy admin tool |
| Description | Regular users can type in the URL of modules that are accessible only to admin users |
| Fix detail | Added logic in the backend to verify user access |
| Mitigation | Users should upgrade to 0.5.0+ version of Apache Ranger with the fix |
| Credit | Thanks to Jakub Kałużny from SecuRing for reporting this issue |