Google Git
Sign in
apache/ranger/master/./mkdocs/docs/project/cve-list.md
blob: 0833f307849618b116775bc96786ad9bbf29fc65 [file] [view]
---
title: "Vulnerabilities Found in Apache Ranger"
---
<!--
- Licensed to the Apache Software Foundation (ASF) under one or more
- contributor license agreements. See the NOTICE file distributed with
- this work for additional information regarding copyright ownership.
- The ASF licenses this file to You under the Apache License, Version 2.0
- (the "License"); you may not use this file except in compliance with
- the License. You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
-->
## Introduction
This page contains a list of security vulnerabilities that have been found in Apache Ranger. For each vulnerability, the following information is provided:
### Fixed in Ranger [2.6.0](../release-notes/2.6.0.md)
| CVE-2024-55532 | Improper Neutralization of Formula Elements in a CSV File in Export to CSV feature of Apache Ranger |
|-------------------|----------------------------------------------------------------------------------------------------|
| Severity | Low |
| Vendor | The Apache Software Foundation |
| Versions Affected | Apache Ranger versions prior to `2.6.0` |
| Users affected | All users of ranger policy admin tool |
| Description | Improper Neutralization issue in Export to CSV functionality |
| Fix detail | Added logic to properly sanitize the exported content |
| Mitigation | Users should upgrade to `2.6.0` or later version of Apache Ranger with the fix |
| Credit | 김도균 (a2256014@naver.com) |
### Fixed in Ranger [2.5.0](../release-notes/2.5.0.md)
| CVE-2024-45478 | Stored XSS vulnerability in Edit Service Page of Apache Ranger UI |
|-------------------|----------------------------------------------------------------------------------------------|
| Severity | Moderate |
| Vendor | The Apache Software Foundation |
| Versions Affected | Apache Ranger versions prior to `2.5.0` |
| Users affected | All users of ranger policy admin tool UI |
| Description | Apache Ranger was found to be vulnerable to a Stored XSS issue in Edit Service functionality |
| Fix detail | Added logic to validate the user input |
| Mitigation | Users should upgrade to `2.5.0` or later version of Apache Ranger with the fix |
| Credit | Gyujin |
| CVE-2024-45479 | SSRF vulnerability in Edit Service Page of Apache Ranger UI |
|-------------------|----------------------------------------------------------------------------------------------|
| Severity | Moderate |
| Vendor | The Apache Software Foundation |
| Versions Affected | Apache Ranger versions prior to `2.5.0` |
| Users affected | All users of ranger policy admin tool UI |
| Description | Apache Ranger was found to be vulnerable to a SSRF issue in Edit Service functionality |
| Fix detail | Added logic to validate the user input |
| Mitigation | Users should upgrade to `2.5.0` or later version of Apache Ranger with the fix |
| Credit | Gyujin |
### Fixed in Ranger 2.0.0
| CVE-2019-12397 | Apache Ranger cross site scripting issue |
|-------------------|---------------------------------------------------------------------------------------------------|
| Vendor | The Apache Software Foundation |
| Versions Affected | `0.7.0` to `1.2.0` versions of Apache Ranger, prior to `2.0.0` |
| Users affected | All users of ranger policy admin tool |
| Description | Apache Ranger was found to be vulnerable to a Cross-Site Scripting in policy import functionality |
| Fix detail | Added logic to sanitize the user input |
| Mitigation | Users should upgrade to `2.0.0` or later version of Apache Ranger with the fix |
| Credit | Jan Kaszycki from STM Solutions |
### Fixed in Ranger 1.2.0
| CVE-2018-11778 | Apache Ranger Stack based buffer overflow |
|-------------------|----------------------------------------------------------------------------------------------------------------|
| Severity | Critical |
| Vendor | The Apache Software Foundation |
| Versions Affected | Apache Ranger versions prior to `1.2.0` |
| Users affected | Unix Authentication Service users |
| Description | Apache Ranger UnixAuthenticationService should properly handle user input to avoid Stack-based buffer overflow |
| Fix detail | UnixAuthenticationService was updated to correctly handle user input |
| Mitigation | Users should upgrade to `1.2.0` or later version of Apache Ranger with the fix |
| Credit | Alexander Klink |
### Fixed in Ranger 0.7.1
| CVE-2017-7676 | Apache Ranger policy evaluation ignores characters after ‘*’ wildcard character |
|-------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Severity | Critical |
| Vendor | The Apache Software Foundation |
| Versions Affected | `0.6.x`/`0.7.0` versions of Apache Ranger |
| Users affected | Environments that use Ranger policies with characters after \‘\*\’ wildcard character like my\*test, test\*.txt |
| Description | Policy resource matcher effectively ignores characters after \‘\*\’ wildcard character. This can result in affected policies to apply to resources where they should not be applied |
| Fix detail | Ranger policy resource matcher was updated to correctly handle wildcard matches. |
| Mitigation | Users should upgrade to `0.7.1` or later version of Apache Ranger with the fix |
| CVE-2017-7677 | Apache Ranger Hive Authorizer should check for RWX permission when external location is specified |
|-------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Severity | Critical |
| Vendor | The Apache Software Foundation |
| Versions Affected | `0.5.x`/`0.6.x`/`0.7.0` versions of Apache Ranger |
| Users affected | Environments that use external location for hive tables |
| Description | Without Ranger Hive Authorizer checking RWX permission when external location is specified, there is a possibility that right permissions are not required to create the table |
| Fix detail | Ranger Hive Authorizer was updated to correctly handle permission check with external location |
| Mitigation | Users should upgrade to `0.7.1` or later version of Apache Ranger with the fix |
### Fixed in Ranger 0.6.3
| CVE-2016-8746 | Apache Ranger path matching issue in policy evaluation |
|-------------------|------------------------------------------------------------------------------------------------------------------------------------------------|
| Severity | Normal |
| Vendor | The Apache Software Foundation |
| Versions Affected | `0.6.0`/`0.6.1`/`0.6.2` versions of Apache Ranger |
| Users affected | All users of ranger policy admin tool |
| Description | Ranger policy engine incorrectly matches paths in certain conditions when policy does not contain wildcards and has recursion flag set to true |
| Fix detail | Fixed policy evaluation logic |
| Mitigation | Users should upgrade to `0.6.3` or later version of Apache Ranger with the fix |
| CVE-2016-8751 | Apache Ranger stored cross site scripting issue |
|-------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Severity | Normal |
| Vendor | The Apache Software Foundation |
| Versions Affected | `0.5.x` and `0.6.0`/`0.6.1`/`0.6.2` versions of Apache Ranger |
| Users affected | All users of ranger policy admin tool |
| Description | Apache Ranger was found to be vulnerable to a Stored Cross-Site Scripting in when entering custom policy conditions. Admin users can store some arbitrary javascript code to be executed when normal users login and access policies |
| Fix detail | Added logic to sanitize the user input |
| Mitigation | Users should upgrade to `0.6.3` or later version of Apache Ranger with the fix |
### Fixed in Ranger 0.6.2
| CVE-2016-6815 | Apache Ranger user privilege vulnerability |
|-------------------|-------------------------------------------------------------------------------------------------|
| Severity | Normal |
| Vendor | The Apache Software Foundation |
| Versions Affected | All `0.5.x` versions or `0.6.0`/`0.6.1` versions of Apache Ranger |
| Users affected | All users of ranger policy admin tool |
| Description | Users with "keyadmin" role should not be allowed to change password for users with `admin` role |
| Fix detail | Added logic to validate the user privilege in the backend |
| Mitigation | Users should upgrade to `0.6.2` or later version of Apache Ranger with the fix |
### Fixed in Ranger 0.6.1
| CVE-2016-5395 | Apache Ranger Stored Cross Site Scripting vulnerability |
|-------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Severity | Normal |
| Vendor | The Apache Software Foundation |
| Versions Affected | All `0.5.x` versions of Apache Ranger and version `0.6.0` |
| Users affected | All users of ranger policy admin tool |
| Description | Apache Ranger was found to be vulnerable to a Stored Cross-Site Scripting in the create user functionality. Admin users can store some arbitrary javascript code to be executed when normal users login and access policies |
| Fix detail | Added logic to sanitize the user input |
| Mitigation | Users should upgrade to `0.6.1` or later version of Apache Ranger with the fix |
| Credit | Thanks to Victor Hora from Securus Global for reporting this issue |
### Fixed in Ranger 0.5.3
| CVE-2016-2174 | Apache Ranger sql injection vulnerability |
|-------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Severity | Normal |
| Vendor | The Apache Software Foundation |
| Versions Affected | All versions of Apache Ranger from `0.5.0` (up to `0.5.3`) |
| Users affected | All admin users of ranger policy admin tool |
| Description | SQL Injection vulnerability in Audit > Access tab. When the user clicks an element from `policyId` row of the list, there is a call made underneath with eventTime parameter which contains the vulnerability. Admin users can send some arbitrary sql code to be executed along with eventTime parameter using `/service/plugins/policies/eventTime url` |
| Fix detail | Replaced native queries with JPA named queries |
| Mitigation | Users should upgrade to `0.5.3` version of Apache Ranger with the fix |
| Credit | Thanks to Mateusz Olejarka from SecuRing for reporting this issue |
### Fixed in Ranger 0.5.1
| CVE-2015-5167 | Restrict REST API data access for non-admin users |
|-------------------|-------------------------------------------------------------------------------------------------------------------------------------|
| Severity | Important |
| Vendor | The Apache Software Foundation |
| Versions Affected | `0.4.0` and `0.5.0` version of Apache Ranger |
| Users affected | All users of ranger policy admin tool |
| Description | Data access restrictions via REST API are not consistent with restrictions in policy admin UI |
| Mitigation | Users should upgrade to Ranger `0.5.1` version |
| CVE-2016-0733 | Ranger Admin authentication issue |
|-------------------|------------------------------------------------------------------------------------------------------------|
| Severity | Important |
| Vendor | The Apache Software Foundation |
| Versions Affected | `0.4.0` and `0.5.0` version of Apache Ranger |
| Users affected | All users of ranger policy admin tool |
| Description | Malicious Users can gain access to ranger admin UI without proper authentication |
| Mitigation | Users should upgrade to Ranger `0.5.1` version |
### Fixed in Ranger 0.5.0
| CVE-2015-0265 | Apache Ranger code injection vulnerability |
|-------------------|------------------------------------------------------------------------------------------------------------|
| Severity | Important |
| Vendor | The Apache Software Foundation |
| Versions Affected | `0.4.0` version of Apache Ranger |
| Users affected | All admin users of ranger policy admin tool |
| Description | Unauthorized users can send some javascript code to be executed in ranger policy admin tool admin sessions |
| Fix detail | Added logic to sanitize the user input |
| Mitigation | Users should upgrade to `0.5.0+` version of Apache Ranger with the fix |
| Credit | Thanks to Jakub Kałużny from SecuRing for reporting this issue |
| CVE-2015-0266 | Apache Ranger direct url access vulnerability |
|-------------------|------------------------------------------------------------------------------------------------------------|
| Severity | Important |
| Vendor | The Apache Software Foundation |
| Versions Affected | `0.4.0` version of Apache Ranger |
| Users affected | All users of ranger policy admin tool |
| Description | Regular users can type in the URL of modules that are accessible only to admin users |
| Fix detail | Added logic in the backend to verify user access |
| Mitigation | Users should upgrade to `0.5.0+` version of Apache Ranger with the fix |
| Credit | Thanks to Jakub Kałużny from SecuRing for reporting this issue |