Search

Find a vulnerability

Search criteria Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.

    42 vulnerabilities found for ranger by apache

    CVE-2025-59060 (GCVE-0-2025-59060)

    Vulnerability from nvd – Published: 2026-03-03 10:46 – Updated: 2026-03-03 14:49
    VLAI
    Title
    Apache Ranger: Hostname verification bypass in NiFiRegistryClient and NifiClient
    Summary
    Hostname verification bypass issue in Apache Ranger NiFiRegistryClient/NiFiClient is reported in Apache Ranger versions <= 2.7.0. Users are recommended to upgrade to version 2.8.0, which fixes this issue.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-297 - Improper Validation of Certificate with Host Mismatch
    Assigner
    Impacted products
    Vendor Product Version
    Apache Software Foundation Apache Ranger Affected: 0 , ≤ 2.7.0 (semver)
    Create a notification for this product.
    Credits
    Nikita Markevich <markevich.nikita1@gmail.com>
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2026-03-03T11:14:18.408Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "url": "http://www.openwall.com/lists/oss-security/2026/03/02/4"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 5.3,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "LOW",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-59060",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-03-03T14:47:44.951917Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-03-03T14:49:34.864Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Apache Ranger",
              "vendor": "Apache Software Foundation",
              "versions": [
                {
                  "lessThanOrEqual": "2.7.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Nikita Markevich \u003cmarkevich.nikita1@gmail.com\u003e"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eHostname verification bypass issue in Apache Ranger NiFiRegistryClient/NiFiClient is reported in Apache Ranger versions \u0026lt;= 2.7.0.\u003c/p\u003eUsers are recommended to upgrade to version 2.8.0, which fixes this issue."
                }
              ],
              "value": "Hostname verification bypass issue in Apache Ranger NiFiRegistryClient/NiFiClient is reported in Apache Ranger versions \u003c= 2.7.0.\n\nUsers are recommended to upgrade to version 2.8.0, which fixes this issue."
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "text": "low"
                },
                "type": "Textual description of severity"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-297",
                  "description": "CWE-297 Improper Validation of Certificate with Host Mismatch",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-03-03T10:46:52.382Z",
            "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
            "shortName": "apache"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.apache.org/thread/c4plx81z3xs86vgl3fd95y3q7hhtff05"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Apache Ranger: Hostname verification bypass in NiFiRegistryClient and NifiClient",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "assignerShortName": "apache",
        "cveId": "CVE-2025-59060",
        "datePublished": "2026-03-03T10:46:52.382Z",
        "dateReserved": "2025-09-08T18:55:29.925Z",
        "dateUpdated": "2026-03-03T14:49:34.864Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-59059 (GCVE-0-2025-59059)

    Vulnerability from nvd – Published: 2026-03-03 10:44 – Updated: 2026-03-03 14:54
    VLAI
    Title
    Apache Ranger: Remote Code Execution Vulnerability in NashornScriptEngineCreator
    Summary
    Remote Code Execution Vulnerability in NashornScriptEngineCreator is reported in Apache Ranger versions <= 2.7.0. Users are recommended to upgrade to version 2.8.0, which fixes this issue.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-94 - Improper Control of Generation of Code ('Code Injection')
    Assigner
    Impacted products
    Vendor Product Version
    Apache Software Foundation Apache Ranger Affected: 0 , ≤ 2.7.0 (semver)
    Create a notification for this product.
    Credits
    chengtianyi <chengtianyi@huawei.com>
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2026-03-03T11:14:16.410Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "url": "http://www.openwall.com/lists/oss-security/2026/03/02/5"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 9.8,
                  "baseSeverity": "CRITICAL",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-59059",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-03-03T14:53:28.058830Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-03-03T14:54:30.232Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Apache Ranger",
              "vendor": "Apache Software Foundation",
              "versions": [
                {
                  "lessThanOrEqual": "2.7.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "chengtianyi \u003cchengtianyi@huawei.com\u003e"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Remote Code Execution Vulnerability in NashornScriptEngineCreator is reported in Apache Ranger versions \u0026lt;= 2.7.0.\u003cbr\u003eUsers are recommended to upgrade to version 2.8.0, which fixes this issue."
                }
              ],
              "value": "Remote Code Execution Vulnerability in NashornScriptEngineCreator is reported in Apache Ranger versions \u003c= 2.7.0.\nUsers are recommended to upgrade to version 2.8.0, which fixes this issue."
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "text": "low"
                },
                "type": "Textual description of severity"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-94",
                  "description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-03-03T10:44:47.294Z",
            "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
            "shortName": "apache"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.apache.org/thread/z47q86rho80390lf2qcmoc2josvs0gtv"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Apache Ranger: Remote Code Execution Vulnerability in NashornScriptEngineCreator",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "assignerShortName": "apache",
        "cveId": "CVE-2025-59059",
        "datePublished": "2026-03-03T10:44:47.294Z",
        "dateReserved": "2025-09-08T18:36:43.801Z",
        "dateUpdated": "2026-03-03T14:54:30.232Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-55532 (GCVE-0-2024-55532)

    Vulnerability from nvd – Published: 2025-03-03 16:04 – Updated: 2025-03-04 16:10
    VLAI
    Title
    Apache Ranger: Improper Neutralization of Formula Elements in a CSV File
    Summary
    Improper Neutralization of Formula Elements in Export CSV feature of Apache Ranger in Apache Ranger Version < 2.6.0. Users are recommended to upgrade to version 2.6.0, which fixes this issue.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-1236 - Improper Neutralization of Formula Elements in a CSV File
    Assigner
    Impacted products
    Vendor Product Version
    Apache Software Foundation Apache Ranger Affected: 0 , ≤ 2.5.0 (semver)
    Create a notification for this product.
    Credits
    "김도균"<a2256014@naver.com>
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2025-03-03T18:03:23.427Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "url": "http://www.openwall.com/lists/oss-security/2025/03/03/2"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 9.8,
                  "baseSeverity": "CRITICAL",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-55532",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-03-04T16:08:29.686366Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-03-04T16:10:02.790Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Apache Ranger",
              "vendor": "Apache Software Foundation",
              "versions": [
                {
                  "lessThanOrEqual": "2.5.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "\"\uae40\ub3c4\uade0\"\u003ca2256014@naver.com\u003e"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Improper Neutralization of Formula Elements in Export CSV feature of Apache Ranger in Apache Ranger Version \u0026lt; 2.6.0.\u003cbr\u003eUsers are recommended to upgrade to version 2.6.0, which fixes this issue."
                }
              ],
              "value": "Improper Neutralization of Formula Elements in Export CSV feature of Apache Ranger in Apache Ranger Version \u003c 2.6.0.\nUsers are recommended to upgrade to version 2.6.0, which fixes this issue."
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "text": "low"
                },
                "type": "Textual description of severity"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-1236",
                  "description": "CWE-1236 Improper Neutralization of Formula Elements in a CSV File",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-03-03T16:17:56.227Z",
            "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
            "shortName": "apache"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://cwiki.apache.org/confluence/display/RANGER/Vulnerabilities+found+in+Ranger"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Apache Ranger: Improper Neutralization of Formula Elements in a CSV File",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "assignerShortName": "apache",
        "cveId": "CVE-2024-55532",
        "datePublished": "2025-03-03T16:04:54.856Z",
        "dateReserved": "2024-12-06T14:40:07.948Z",
        "dateUpdated": "2025-03-04T16:10:02.790Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-45479 (GCVE-0-2024-45479)

    Vulnerability from nvd – Published: 2025-01-21 21:26 – Updated: 2025-06-10 09:06
    VLAI
    Title
    Apache Ranger: SSRF in Edit Service page - Add logic to filter requests to localhost
    Summary
    SSRF vulnerability in Edit Service Page of Apache Ranger UI in Apache Ranger Version 2.4.0. Users are recommended to upgrade to version Apache Ranger 2.5.0, which fixes this issue.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-918 - Server-Side Request Forgery (SSRF)
    Assigner
    Impacted products
    Vendor Product Version
    Apache Software Foundation Apache Ranger Affected: 2.4.0 , < 2.5.0 (semver)
    Create a notification for this product.
    Credits
    Gyujin (biz@web-us.kr)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2025-01-21T22:02:49.988Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "url": "http://www.openwall.com/lists/oss-security/2025/01/21/4"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 9.1,
                  "baseSeverity": "CRITICAL",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-45479",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-01-22T14:43:56.539586Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-01-27T21:06:38.671Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Apache Ranger",
              "vendor": "Apache Software Foundation",
              "versions": [
                {
                  "lessThan": "2.5.0",
                  "status": "affected",
                  "version": "2.4.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Gyujin (biz@web-us.kr)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "SSRF vulnerability in Edit Service Page of Apache Ranger UI in Apache Ranger Version 2.4.0.\u003cbr\u003eUsers are recommended to upgrade to version Apache Ranger 2.5.0, which fixes this issue."
                }
              ],
              "value": "SSRF vulnerability in Edit Service Page of Apache Ranger UI in Apache Ranger Version 2.4.0.\nUsers are recommended to upgrade to version Apache Ranger 2.5.0, which fixes this issue."
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "text": "moderate"
                },
                "type": "Textual description of severity"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-918",
                  "description": "CWE-918 Server-Side Request Forgery (SSRF)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-06-10T09:06:33.435Z",
            "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
            "shortName": "apache"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://cwiki.apache.org/confluence/display/RANGER/Vulnerabilities+found+in+Ranger"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Apache Ranger: SSRF in Edit Service page - Add logic to filter requests to localhost",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "assignerShortName": "apache",
        "cveId": "CVE-2024-45479",
        "datePublished": "2025-01-21T21:26:16.500Z",
        "dateReserved": "2024-08-29T14:51:06.723Z",
        "dateUpdated": "2025-06-10T09:06:33.435Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-45478 (GCVE-0-2024-45478)

    Vulnerability from nvd – Published: 2025-01-21 21:25 – Updated: 2025-06-10 09:05
    VLAI
    Title
    Apache Ranger: Stored XSS in Edit Service page - Add logic to validate user input
    Summary
    Stored XSS vulnerability in Edit Service Page of Apache Ranger UI in Apache Ranger Version 2.4.0. Users are recommended to upgrade to version Apache Ranger 2.5.0, which fixes this issue.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Vendor Product Version
    Apache Software Foundation Apache Ranger Affected: 2.4.0 , < 2.5.0 (semver)
    Create a notification for this product.
    Credits
    Gyujin (biz@web-us.kr)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2025-01-21T22:02:48.006Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "url": "http://www.openwall.com/lists/oss-security/2025/01/21/3"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 4.8,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "LOW",
                  "integrityImpact": "LOW",
                  "privilegesRequired": "HIGH",
                  "scope": "CHANGED",
                  "userInteraction": "REQUIRED",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-45478",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-01-22T18:43:51.825307Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-01-22T18:52:12.206Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Apache Ranger",
              "vendor": "Apache Software Foundation",
              "versions": [
                {
                  "lessThan": "2.5.0",
                  "status": "affected",
                  "version": "2.4.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Gyujin (biz@web-us.kr)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Stored XSS vulnerability in Edit Service Page of Apache Ranger UI in Apache Ranger Version 2.4.0.\u003cbr\u003eUsers are recommended to upgrade to version Apache Ranger 2.5.0, which fixes this issue."
                }
              ],
              "value": "Stored XSS vulnerability in Edit Service Page of Apache Ranger UI in Apache Ranger Version 2.4.0.\nUsers are recommended to upgrade to version Apache Ranger 2.5.0, which fixes this issue."
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "text": "moderate"
                },
                "type": "Textual description of severity"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-06-10T09:05:27.590Z",
            "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
            "shortName": "apache"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://cwiki.apache.org/confluence/display/RANGER/Vulnerabilities+found+in+Ranger"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Apache Ranger: Stored XSS in Edit Service page - Add logic to validate user input",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "assignerShortName": "apache",
        "cveId": "CVE-2024-45478",
        "datePublished": "2025-01-21T21:25:58.276Z",
        "dateReserved": "2024-08-29T14:30:58.496Z",
        "dateUpdated": "2025-06-10T09:05:27.590Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-45048 (GCVE-0-2022-45048)

    Vulnerability from nvd – Published: 2023-05-05 07:50 – Updated: 2024-10-15 18:12
    VLAI
    Title
    Apache Ranger: code execution vulnerability in policy expressions
    Summary
    Authenticated users with appropriate privileges can create policies having expressions that can exploit code execution vulnerability. This issue affects Apache Ranger: 2.3.0. Users are recommended to update to version 2.4.0.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
    Assigner
    References
    Impacted products
    Vendor Product Version
    Apache Software Foundation Apache Ranger Affected: 2.3.0
    Create a notification for this product.
    apache ranger Affected: 2.3.0
        cpe:2.3:a:apache:ranger:2.3.0:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    g1831767442@163.com
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T14:01:31.503Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread/6rpzwy1smdhr60tsh1ydknn3kdm45bb6"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:apache:ranger:2.3.0:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "ranger",
                "vendor": "apache",
                "versions": [
                  {
                    "status": "affected",
                    "version": "2.3.0"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 8.4,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "HIGH",
                  "scope": "CHANGED",
                  "userInteraction": "REQUIRED",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2022-45048",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-15T18:11:38.936548Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-15T18:12:43.127Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Apache Ranger",
              "vendor": "Apache Software Foundation",
              "versions": [
                {
                  "status": "affected",
                  "version": "2.3.0"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "g1831767442@163.com"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eAuthenticated users with appropriate privileges can create policies having expressions that can exploit code execution vulnerability.\u0026nbsp;This issue affects Apache Ranger: 2.3.0. Users are recommended to update to version 2.4.0.\u003cbr\u003e\u003c/p\u003e"
                }
              ],
              "value": "Authenticated users with appropriate privileges can create policies having expressions that can exploit code execution vulnerability.\u00a0This issue affects Apache Ranger: 2.3.0. Users are recommended to update to version 2.4.0.\n\n\n"
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.4,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-74",
                  "description": "CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-05-05T07:50:25.762Z",
            "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
            "shortName": "apache"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.apache.org/thread/6rpzwy1smdhr60tsh1ydknn3kdm45bb6"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Apache Ranger: code execution vulnerability in policy expressions",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "assignerShortName": "apache",
        "cveId": "CVE-2022-45048",
        "datePublished": "2023-05-05T07:50:25.762Z",
        "dateReserved": "2022-11-08T10:32:53.853Z",
        "dateUpdated": "2024-10-15T18:12:43.127Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-40331 (GCVE-0-2021-40331)

    Vulnerability from nvd – Published: 2023-05-05 07:55 – Updated: 2024-10-11 17:07
    VLAI
    Title
    Permissions problem in the Apache Ranger Hive Plugin
    Summary
    An Incorrect Permission Assignment for Critical Resource vulnerability was found in the Apache Ranger Hive Plugin. Any user with SELECT privilege on a database can alter the ownership of the table in Hive when Apache Ranger Hive Plugin is enabled This issue affects Apache Ranger Hive Plugin: from 2.0.0 through 2.3.0. Users are recommended to upgrade to version 2.4.0 or later.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-732 - Incorrect Permission Assignment for Critical Resource
    Assigner
    References
    Impacted products
    Vendor Product Version
    Apache Software Foundation Apache Ranger Hive Plugin Affected: 2.0.0 , ≤ 2.3.0 (semver)
    Create a notification for this product.
    apache ranger Affected: 2.0.0 , ≤ 2.3.0 (custom)
        cpe:2.3:a:apache:ranger:*:*:*:*:*:hive:*:*
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T02:27:31.979Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread/s68yls6cnkdmzn1k4hqt50vs6wjvt2rn"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:apache:ranger:*:*:*:*:*:hive:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "ranger",
                "vendor": "apache",
                "versions": [
                  {
                    "lessThanOrEqual": "2.3.0",
                    "status": "affected",
                    "version": "2.0.0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 8.1,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "LOW",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2021-40331",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-11T17:06:08.372365Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-11T17:07:19.817Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Apache Ranger Hive Plugin",
              "vendor": "Apache Software Foundation",
              "versions": [
                {
                  "lessThanOrEqual": "2.3.0",
                  "status": "affected",
                  "version": "2.0.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "An Incorrect Permission Assignment for Critical Resource vulnerability was found in the Apache Ranger Hive Plugin. Any user with SELECT privilege on a database can alter the ownership of the table in Hive when Apache Ranger Hive Plugin is enabled\u003cbr\u003e\u003cp\u003eThis issue affects Apache Ranger Hive Plugin: from 2.0.0 through 2.3.0. Users are recommended to upgrade to version 2.4.0 or later.\u003cbr\u003e\u003c/p\u003e"
                }
              ],
              "value": "An Incorrect Permission Assignment for Critical Resource vulnerability was found in the Apache Ranger Hive Plugin. Any user with SELECT privilege on a database can alter the ownership of the table in Hive when Apache Ranger Hive Plugin is enabled\nThis issue affects Apache Ranger Hive Plugin: from 2.0.0 through 2.3.0. Users are recommended to upgrade to version 2.4.0 or later.\n\n\n"
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "text": "critical"
                },
                "type": "Textual description of severity"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-732",
                  "description": "CWE-732 Incorrect Permission Assignment for Critical Resource",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-05-05T07:55:06.554Z",
            "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
            "shortName": "apache"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.apache.org/thread/s68yls6cnkdmzn1k4hqt50vs6wjvt2rn"
            }
          ],
          "source": {
            "defect": [
              "RANGER-3474",
              "RANGER-3357"
            ],
            "discovery": "UNKNOWN"
          },
          "title": "Permissions problem in the Apache Ranger Hive Plugin",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "assignerShortName": "apache",
        "cveId": "CVE-2021-40331",
        "datePublished": "2023-05-05T07:55:06.554Z",
        "dateReserved": "2021-08-31T09:23:23.832Z",
        "dateUpdated": "2024-10-11T17:07:19.817Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2019-12397 (GCVE-0-2019-12397)

    Vulnerability from nvd – Published: 2019-08-08 17:06 – Updated: 2024-08-04 23:17
    VLAI
    Summary
    Policy import functionality in Apache Ranger 0.7.0 to 1.2.0 is vulnerable to a cross-site scripting issue. Upgrade to 2.0.0 or later version of Apache Ranger with the fix.
    Severity
    No CVSS data available.
    CWE
    • Cross-site scripting
    Assigner
    References
    Impacted products
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T23:17:40.107Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://cwiki.apache.org/confluence/display/RANGER/Vulnerabilities+found+in+Ranger"
              },
              {
                "name": "[oss-security] 20190808 CVE update - fixed in Apache Ranger 2.0.0",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "http://www.openwall.com/lists/oss-security/2019/08/08/1"
              },
              {
                "name": "[ranger-dev] 20191229 [jira] [Created] (RANGER-2681) CVE-2019-12397: Apache Ranger cross site scripting issue",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/ab2de1adad96f5dbd19d976b28715dfc60dbe75e82a74f48be8ef695%40%3Cdev.ranger.apache.org%3E"
              },
              {
                "name": "[ranger-dev] 20191229 [jira] [Updated] (RANGER-2681) CVE-2019-12397: Apache Ranger cross site scripting issue",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/cbc6346708ef2b9ffb2555637311bf6294923c609c029389fa39de8f%40%3Cdev.ranger.apache.org%3E"
              },
              {
                "name": "[ranger-dev] 20200121 [jira] [Resolved] (RANGER-2681) CVE-2019-12397: Apache Ranger cross site scripting issue",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/r04bc435a92911de4b52d2b98f169bd7cf2e8bbeb53b03788df8f932c%40%3Cdev.ranger.apache.org%3E"
              },
              {
                "name": "[ranger-dev] 20200121 [jira] [Commented] (RANGER-2681) CVE-2019-12397: Apache Ranger cross site scripting issue",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/rd88077a781ef38f7687c100f93992f4dda8aa101925050c4af470998%40%3Cdev.ranger.apache.org%3E"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Apache Ranger",
              "vendor": "Apache Software Foundation",
              "versions": [
                {
                  "status": "affected",
                  "version": "0.7.0 to 1.2.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Policy import functionality in Apache Ranger 0.7.0 to 1.2.0 is vulnerable to a cross-site scripting issue. Upgrade to 2.0.0 or later version of Apache Ranger with the fix."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Cross-site scripting",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2020-01-21T15:06:15.000Z",
            "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
            "shortName": "apache"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://cwiki.apache.org/confluence/display/RANGER/Vulnerabilities+found+in+Ranger"
            },
            {
              "name": "[oss-security] 20190808 CVE update - fixed in Apache Ranger 2.0.0",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "http://www.openwall.com/lists/oss-security/2019/08/08/1"
            },
            {
              "name": "[ranger-dev] 20191229 [jira] [Created] (RANGER-2681) CVE-2019-12397: Apache Ranger cross site scripting issue",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/ab2de1adad96f5dbd19d976b28715dfc60dbe75e82a74f48be8ef695%40%3Cdev.ranger.apache.org%3E"
            },
            {
              "name": "[ranger-dev] 20191229 [jira] [Updated] (RANGER-2681) CVE-2019-12397: Apache Ranger cross site scripting issue",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/cbc6346708ef2b9ffb2555637311bf6294923c609c029389fa39de8f%40%3Cdev.ranger.apache.org%3E"
            },
            {
              "name": "[ranger-dev] 20200121 [jira] [Resolved] (RANGER-2681) CVE-2019-12397: Apache Ranger cross site scripting issue",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/r04bc435a92911de4b52d2b98f169bd7cf2e8bbeb53b03788df8f932c%40%3Cdev.ranger.apache.org%3E"
            },
            {
              "name": "[ranger-dev] 20200121 [jira] [Commented] (RANGER-2681) CVE-2019-12397: Apache Ranger cross site scripting issue",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/rd88077a781ef38f7687c100f93992f4dda8aa101925050c4af470998%40%3Cdev.ranger.apache.org%3E"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@apache.org",
              "ID": "CVE-2019-12397",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Apache Ranger",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "0.7.0 to 1.2.0"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Apache Software Foundation"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Policy import functionality in Apache Ranger 0.7.0 to 1.2.0 is vulnerable to a cross-site scripting issue. Upgrade to 2.0.0 or later version of Apache Ranger with the fix."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Cross-site scripting"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://cwiki.apache.org/confluence/display/RANGER/Vulnerabilities+found+in+Ranger",
                  "refsource": "CONFIRM",
                  "url": "https://cwiki.apache.org/confluence/display/RANGER/Vulnerabilities+found+in+Ranger"
                },
                {
                  "name": "[oss-security] 20190808 CVE update - fixed in Apache Ranger 2.0.0",
                  "refsource": "MLIST",
                  "url": "http://www.openwall.com/lists/oss-security/2019/08/08/1"
                },
                {
                  "name": "[ranger-dev] 20191229 [jira] [Created] (RANGER-2681) CVE-2019-12397: Apache Ranger cross site scripting issue",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/ab2de1adad96f5dbd19d976b28715dfc60dbe75e82a74f48be8ef695@%3Cdev.ranger.apache.org%3E"
                },
                {
                  "name": "[ranger-dev] 20191229 [jira] [Updated] (RANGER-2681) CVE-2019-12397: Apache Ranger cross site scripting issue",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/cbc6346708ef2b9ffb2555637311bf6294923c609c029389fa39de8f@%3Cdev.ranger.apache.org%3E"
                },
                {
                  "name": "[ranger-dev] 20200121 [jira] [Resolved] (RANGER-2681) CVE-2019-12397: Apache Ranger cross site scripting issue",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/r04bc435a92911de4b52d2b98f169bd7cf2e8bbeb53b03788df8f932c@%3Cdev.ranger.apache.org%3E"
                },
                {
                  "name": "[ranger-dev] 20200121 [jira] [Commented] (RANGER-2681) CVE-2019-12397: Apache Ranger cross site scripting issue",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/rd88077a781ef38f7687c100f93992f4dda8aa101925050c4af470998@%3Cdev.ranger.apache.org%3E"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "assignerShortName": "apache",
        "cveId": "CVE-2019-12397",
        "datePublished": "2019-08-08T17:06:43.000Z",
        "dateReserved": "2019-05-28T00:00:00.000Z",
        "dateUpdated": "2024-08-04T23:17:40.107Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2018-11778 (GCVE-0-2018-11778)

    Vulnerability from nvd – Published: 2018-10-05 19:00 – Updated: 2024-09-17 03:18
    VLAI
    Summary
    UnixAuthenticationService in Apache Ranger 1.2.0 was updated to correctly handle user input to avoid Stack-based buffer overflow. Versions prior to 1.2.0 should be upgraded to 1.2.0
    Severity
    No CVSS data available.
    CWE
    • Overflow
    Assigner
    References
    Impacted products
    Date Public
    2018-10-04 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T08:17:09.211Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://cwiki.apache.org/confluence/display/RANGER/Vulnerabilities+found+in+Ranger"
              },
              {
                "name": "[oss-security] 20181004 CVE update - fixed in Apache Ranger 1.2.0",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://seclists.org/oss-sec/2018/q4/11"
              },
              {
                "name": "[ranger-dev] 20200121 [jira] [Resolved] (RANGER-2681) CVE-2019-12397: Apache Ranger cross site scripting issue",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/r04bc435a92911de4b52d2b98f169bd7cf2e8bbeb53b03788df8f932c%40%3Cdev.ranger.apache.org%3E"
              },
              {
                "name": "[ranger-dev] 20200121 [jira] [Commented] (RANGER-2681) CVE-2019-12397: Apache Ranger cross site scripting issue",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/rd88077a781ef38f7687c100f93992f4dda8aa101925050c4af470998%40%3Cdev.ranger.apache.org%3E"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Apache Ranger",
              "vendor": "Apache Software Foundation",
              "versions": [
                {
                  "status": "affected",
                  "version": "prior to 1.2.0"
                }
              ]
            }
          ],
          "datePublic": "2018-10-04T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "UnixAuthenticationService in Apache Ranger 1.2.0 was updated to correctly handle user input to avoid Stack-based buffer overflow. Versions prior to 1.2.0 should be upgraded to 1.2.0"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Overflow",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2020-01-21T15:06:15.000Z",
            "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
            "shortName": "apache"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://cwiki.apache.org/confluence/display/RANGER/Vulnerabilities+found+in+Ranger"
            },
            {
              "name": "[oss-security] 20181004 CVE update - fixed in Apache Ranger 1.2.0",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://seclists.org/oss-sec/2018/q4/11"
            },
            {
              "name": "[ranger-dev] 20200121 [jira] [Resolved] (RANGER-2681) CVE-2019-12397: Apache Ranger cross site scripting issue",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/r04bc435a92911de4b52d2b98f169bd7cf2e8bbeb53b03788df8f932c%40%3Cdev.ranger.apache.org%3E"
            },
            {
              "name": "[ranger-dev] 20200121 [jira] [Commented] (RANGER-2681) CVE-2019-12397: Apache Ranger cross site scripting issue",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/rd88077a781ef38f7687c100f93992f4dda8aa101925050c4af470998%40%3Cdev.ranger.apache.org%3E"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@apache.org",
              "DATE_PUBLIC": "2018-10-04T00:00:00",
              "ID": "CVE-2018-11778",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Apache Ranger",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "prior to 1.2.0"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Apache Software Foundation"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "UnixAuthenticationService in Apache Ranger 1.2.0 was updated to correctly handle user input to avoid Stack-based buffer overflow. Versions prior to 1.2.0 should be upgraded to 1.2.0"
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Overflow"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://cwiki.apache.org/confluence/display/RANGER/Vulnerabilities+found+in+Ranger",
                  "refsource": "CONFIRM",
                  "url": "https://cwiki.apache.org/confluence/display/RANGER/Vulnerabilities+found+in+Ranger"
                },
                {
                  "name": "[oss-security] 20181004 CVE update - fixed in Apache Ranger 1.2.0",
                  "refsource": "MLIST",
                  "url": "https://seclists.org/oss-sec/2018/q4/11"
                },
                {
                  "name": "[ranger-dev] 20200121 [jira] [Resolved] (RANGER-2681) CVE-2019-12397: Apache Ranger cross site scripting issue",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/r04bc435a92911de4b52d2b98f169bd7cf2e8bbeb53b03788df8f932c@%3Cdev.ranger.apache.org%3E"
                },
                {
                  "name": "[ranger-dev] 20200121 [jira] [Commented] (RANGER-2681) CVE-2019-12397: Apache Ranger cross site scripting issue",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/rd88077a781ef38f7687c100f93992f4dda8aa101925050c4af470998@%3Cdev.ranger.apache.org%3E"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "assignerShortName": "apache",
        "cveId": "CVE-2018-11778",
        "datePublished": "2018-10-05T19:00:00.000Z",
        "dateReserved": "2018-06-05T00:00:00.000Z",
        "dateUpdated": "2024-09-17T03:18:51.761Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2016-6815 (GCVE-0-2016-6815)

    Vulnerability from nvd – Published: 2017-10-13 14:00 – Updated: 2024-09-17 04:14
    VLAI
    Summary
    In Apache Ranger before 0.6.2, users with "keyadmin" role should not be allowed to change password for users with "admin" role.
    Severity
    No CVSS data available.
    CWE
    • Incorrect Privileges
    Assigner
    References
    Impacted products
    Vendor Product Version
    Apache Software Foundation Apache Ranger Affected: 0.5.x
    Affected: 0.6.0
    Affected: 0.6.1
    Create a notification for this product.
    Date Public
    2016-11-06 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-06T01:43:37.907Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "94221",
                "tags": [
                  "vdb-entry",
                  "x_refsource_BID",
                  "x_transferred"
                ],
                "url": "http://www.securityfocus.com/bid/94221"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://cwiki.apache.org/confluence/display/RANGER/Vulnerabilities+found+in+Ranger"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Apache Ranger",
              "vendor": "Apache Software Foundation",
              "versions": [
                {
                  "status": "affected",
                  "version": "0.5.x"
                },
                {
                  "status": "affected",
                  "version": "0.6.0"
                },
                {
                  "status": "affected",
                  "version": "0.6.1"
                }
              ]
            }
          ],
          "datePublic": "2016-11-06T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "In Apache Ranger before 0.6.2, users with \"keyadmin\" role should not be allowed to change password for users with \"admin\" role."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Incorrect Privileges",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2017-10-14T09:57:01.000Z",
            "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
            "shortName": "apache"
          },
          "references": [
            {
              "name": "94221",
              "tags": [
                "vdb-entry",
                "x_refsource_BID"
              ],
              "url": "http://www.securityfocus.com/bid/94221"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://cwiki.apache.org/confluence/display/RANGER/Vulnerabilities+found+in+Ranger"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@apache.org",
              "DATE_PUBLIC": "2016-11-06T00:00:00",
              "ID": "CVE-2016-6815",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Apache Ranger",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "0.5.x"
                              },
                              {
                                "version_value": "0.6.0"
                              },
                              {
                                "version_value": "0.6.1"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Apache Software Foundation"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "In Apache Ranger before 0.6.2, users with \"keyadmin\" role should not be allowed to change password for users with \"admin\" role."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Incorrect Privileges"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "94221",
                  "refsource": "BID",
                  "url": "http://www.securityfocus.com/bid/94221"
                },
                {
                  "name": "https://cwiki.apache.org/confluence/display/RANGER/Vulnerabilities+found+in+Ranger",
                  "refsource": "CONFIRM",
                  "url": "https://cwiki.apache.org/confluence/display/RANGER/Vulnerabilities+found+in+Ranger"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "assignerShortName": "apache",
        "cveId": "CVE-2016-6815",
        "datePublished": "2017-10-13T14:00:00.000Z",
        "dateReserved": "2016-08-12T00:00:00.000Z",
        "dateUpdated": "2024-09-17T04:14:03.099Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2017-7677 (GCVE-0-2017-7677)

    Vulnerability from nvd – Published: 2017-06-14 17:00 – Updated: 2024-08-05 16:12
    VLAI
    Summary
    In environments that use external location for hive tables, Hive Authorizer in Apache Ranger before 0.7.1 should be checking RWX permission for create table.
    Severity
    No CVSS data available.
    CWE
    • Authorization
    Assigner
    References
    Impacted products
    Vendor Product Version
    Apache Software Foundation Apache Ranger Affected: 0.5.x
    Affected: 0.6.x
    Affected: 0.7.0
    Create a notification for this product.
    Date Public
    2017-06-07 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T16:12:27.880Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "98961",
                "tags": [
                  "vdb-entry",
                  "x_refsource_BID",
                  "x_transferred"
                ],
                "url": "http://www.securityfocus.com/bid/98961"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://cwiki.apache.org/confluence/display/RANGER/Vulnerabilities+found+in+Ranger"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Apache Ranger",
              "vendor": "Apache Software Foundation",
              "versions": [
                {
                  "status": "affected",
                  "version": "0.5.x"
                },
                {
                  "status": "affected",
                  "version": "0.6.x"
                },
                {
                  "status": "affected",
                  "version": "0.7.0"
                }
              ]
            }
          ],
          "datePublic": "2017-06-07T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "In environments that use external location for hive tables, Hive Authorizer in Apache Ranger before 0.7.1 should be checking RWX permission for create table."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Authorization",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2017-06-15T09:57:01.000Z",
            "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
            "shortName": "apache"
          },
          "references": [
            {
              "name": "98961",
              "tags": [
                "vdb-entry",
                "x_refsource_BID"
              ],
              "url": "http://www.securityfocus.com/bid/98961"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://cwiki.apache.org/confluence/display/RANGER/Vulnerabilities+found+in+Ranger"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@apache.org",
              "ID": "CVE-2017-7677",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Apache Ranger",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "0.5.x"
                              },
                              {
                                "version_value": "0.6.x"
                              },
                              {
                                "version_value": "0.7.0"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Apache Software Foundation"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "In environments that use external location for hive tables, Hive Authorizer in Apache Ranger before 0.7.1 should be checking RWX permission for create table."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Authorization"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "98961",
                  "refsource": "BID",
                  "url": "http://www.securityfocus.com/bid/98961"
                },
                {
                  "name": "https://cwiki.apache.org/confluence/display/RANGER/Vulnerabilities+found+in+Ranger",
                  "refsource": "CONFIRM",
                  "url": "https://cwiki.apache.org/confluence/display/RANGER/Vulnerabilities+found+in+Ranger"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "assignerShortName": "apache",
        "cveId": "CVE-2017-7677",
        "datePublished": "2017-06-14T17:00:00.000Z",
        "dateReserved": "2017-04-11T00:00:00.000Z",
        "dateUpdated": "2024-08-05T16:12:27.880Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2017-7676 (GCVE-0-2017-7676)

    Vulnerability from nvd – Published: 2017-06-14 17:00 – Updated: 2024-08-05 16:12
    VLAI
    Summary
    Policy resource matcher in Apache Ranger before 0.7.1 ignores characters after '*' wildcard character - like my*test, test*.txt. This can result in unintended behavior.
    Severity
    No CVSS data available.
    CWE
    • Authorization
    Assigner
    References
    Impacted products
    Vendor Product Version
    Apache Software Foundation Apache Ranger Affected: 0.5.x
    Affected: 0.6.x
    Affected: 0.7.0
    Create a notification for this product.
    Date Public
    2017-06-07 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T16:12:27.762Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://cwiki.apache.org/confluence/display/RANGER/Vulnerabilities+found+in+Ranger"
              },
              {
                "name": "98958",
                "tags": [
                  "vdb-entry",
                  "x_refsource_BID",
                  "x_transferred"
                ],
                "url": "http://www.securityfocus.com/bid/98958"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Apache Ranger",
              "vendor": "Apache Software Foundation",
              "versions": [
                {
                  "status": "affected",
                  "version": "0.5.x"
                },
                {
                  "status": "affected",
                  "version": "0.6.x"
                },
                {
                  "status": "affected",
                  "version": "0.7.0"
                }
              ]
            }
          ],
          "datePublic": "2017-06-07T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Policy resource matcher in Apache Ranger before 0.7.1 ignores characters after \u0027*\u0027 wildcard character - like my*test, test*.txt. This can result in unintended behavior."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Authorization",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2017-06-15T09:57:01.000Z",
            "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
            "shortName": "apache"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://cwiki.apache.org/confluence/display/RANGER/Vulnerabilities+found+in+Ranger"
            },
            {
              "name": "98958",
              "tags": [
                "vdb-entry",
                "x_refsource_BID"
              ],
              "url": "http://www.securityfocus.com/bid/98958"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@apache.org",
              "ID": "CVE-2017-7676",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Apache Ranger",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "0.5.x"
                              },
                              {
                                "version_value": "0.6.x"
                              },
                              {
                                "version_value": "0.7.0"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Apache Software Foundation"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Policy resource matcher in Apache Ranger before 0.7.1 ignores characters after \u0027*\u0027 wildcard character - like my*test, test*.txt. This can result in unintended behavior."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Authorization"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://cwiki.apache.org/confluence/display/RANGER/Vulnerabilities+found+in+Ranger",
                  "refsource": "CONFIRM",
                  "url": "https://cwiki.apache.org/confluence/display/RANGER/Vulnerabilities+found+in+Ranger"
                },
                {
                  "name": "98958",
                  "refsource": "BID",
                  "url": "http://www.securityfocus.com/bid/98958"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "assignerShortName": "apache",
        "cveId": "CVE-2017-7676",
        "datePublished": "2017-06-14T17:00:00.000Z",
        "dateReserved": "2017-04-11T00:00:00.000Z",
        "dateUpdated": "2024-08-05T16:12:27.762Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2016-8751 (GCVE-0-2016-8751)

    Vulnerability from nvd – Published: 2017-06-14 17:00 – Updated: 2024-08-06 02:35
    VLAI
    Summary
    Apache Ranger before 0.6.3 is vulnerable to a Stored Cross-Site Scripting in when entering custom policy conditions. Admin users can store some arbitrary javascript code to be executed when normal users login and access policies.
    Severity
    No CVSS data available.
    CWE
    • CSS
    Assigner
    References
    Impacted products
    Vendor Product Version
    Apache Software Foundation Apache Ranger Affected: 0.5.x
    Affected: 0.6.0 - 0.6.2
    Create a notification for this product.
    Date Public
    2017-02-01 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-06T02:35:00.223Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "99067",
                "tags": [
                  "vdb-entry",
                  "x_refsource_BID",
                  "x_transferred"
                ],
                "url": "http://www.securityfocus.com/bid/99067"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://cwiki.apache.org/confluence/display/RANGER/Vulnerabilities+found+in+Ranger"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Apache Ranger",
              "vendor": "Apache Software Foundation",
              "versions": [
                {
                  "status": "affected",
                  "version": "0.5.x"
                },
                {
                  "status": "affected",
                  "version": "0.6.0 - 0.6.2"
                }
              ]
            }
          ],
          "datePublic": "2017-02-01T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Apache Ranger before 0.6.3 is vulnerable to a Stored Cross-Site Scripting in when entering custom policy conditions. Admin users can store some arbitrary javascript code to be executed when normal users login and access policies."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "CSS",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2019-02-20T19:57:01.000Z",
            "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
            "shortName": "apache"
          },
          "references": [
            {
              "name": "99067",
              "tags": [
                "vdb-entry",
                "x_refsource_BID"
              ],
              "url": "http://www.securityfocus.com/bid/99067"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://cwiki.apache.org/confluence/display/RANGER/Vulnerabilities+found+in+Ranger"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@apache.org",
              "ID": "CVE-2016-8751",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Apache Ranger",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "0.5.x"
                              },
                              {
                                "version_value": "0.6.0 - 0.6.2"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Apache Software Foundation"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Apache Ranger before 0.6.3 is vulnerable to a Stored Cross-Site Scripting in when entering custom policy conditions. Admin users can store some arbitrary javascript code to be executed when normal users login and access policies."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CSS"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "99067",
                  "refsource": "BID",
                  "url": "http://www.securityfocus.com/bid/99067"
                },
                {
                  "name": "https://cwiki.apache.org/confluence/display/RANGER/Vulnerabilities+found+in+Ranger",
                  "refsource": "CONFIRM",
                  "url": "https://cwiki.apache.org/confluence/display/RANGER/Vulnerabilities+found+in+Ranger"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "assignerShortName": "apache",
        "cveId": "CVE-2016-8751",
        "datePublished": "2017-06-14T17:00:00.000Z",
        "dateReserved": "2016-10-18T00:00:00.000Z",
        "dateUpdated": "2024-08-06T02:35:00.223Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2016-8746 (GCVE-0-2016-8746)

    Vulnerability from nvd – Published: 2017-06-14 17:00 – Updated: 2024-08-06 02:34
    VLAI
    Summary
    Apache Ranger before 0.6.3 policy engine incorrectly matches paths in certain conditions when policy does not contain wildcards and has recursion flag set to true.
    Severity
    No CVSS data available.
    CWE
    • Authorization
    Assigner
    References
    Impacted products
    Date Public
    2017-02-01 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-06T02:34:59.604Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "95998",
                "tags": [
                  "vdb-entry",
                  "x_refsource_BID",
                  "x_transferred"
                ],
                "url": "http://www.securityfocus.com/bid/95998"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://cwiki.apache.org/confluence/display/RANGER/Vulnerabilities+found+in+Ranger"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Apache Ranger",
              "vendor": "Apache Software Foundation",
              "versions": [
                {
                  "status": "affected",
                  "version": "0.6.0 - 0.6.2"
                }
              ]
            }
          ],
          "datePublic": "2017-02-01T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Apache Ranger before 0.6.3 policy engine incorrectly matches paths in certain conditions when policy does not contain wildcards and has recursion flag set to true."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Authorization",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2017-06-15T09:57:01.000Z",
            "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
            "shortName": "apache"
          },
          "references": [
            {
              "name": "95998",
              "tags": [
                "vdb-entry",
                "x_refsource_BID"
              ],
              "url": "http://www.securityfocus.com/bid/95998"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://cwiki.apache.org/confluence/display/RANGER/Vulnerabilities+found+in+Ranger"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@apache.org",
              "ID": "CVE-2016-8746",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Apache Ranger",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "0.6.0 - 0.6.2"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Apache Software Foundation"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Apache Ranger before 0.6.3 policy engine incorrectly matches paths in certain conditions when policy does not contain wildcards and has recursion flag set to true."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Authorization"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "95998",
                  "refsource": "BID",
                  "url": "http://www.securityfocus.com/bid/95998"
                },
                {
                  "name": "https://cwiki.apache.org/confluence/display/RANGER/Vulnerabilities+found+in+Ranger",
                  "refsource": "CONFIRM",
                  "url": "https://cwiki.apache.org/confluence/display/RANGER/Vulnerabilities+found+in+Ranger"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "assignerShortName": "apache",
        "cveId": "CVE-2016-8746",
        "datePublished": "2017-06-14T17:00:00.000Z",
        "dateReserved": "2016-10-18T00:00:00.000Z",
        "dateUpdated": "2024-08-06T02:34:59.604Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2016-5395 (GCVE-0-2016-5395)

    Vulnerability from nvd – Published: 2016-09-26 14:00 – Updated: 2024-08-06 01:00
    VLAI
    Summary
    Cross-site scripting (XSS) vulnerability in the create user functionality in the policy admin tool in Apache Ranger before 0.6.1 allows remote authenticated administrators to inject arbitrary web script or HTML via vectors related to policies.
    Severity
    No CVSS data available.
    CWE
    • n/a
    Assigner
    References
    Date Public
    2016-08-22 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-06T01:00:59.855Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://cwiki.apache.org/confluence/display/RANGER/Vulnerabilities+found+in+Ranger"
              },
              {
                "name": "92577",
                "tags": [
                  "vdb-entry",
                  "x_refsource_BID",
                  "x_transferred"
                ],
                "url": "http://www.securityfocus.com/bid/92577"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "datePublic": "2016-08-22T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Cross-site scripting (XSS) vulnerability in the create user functionality in the policy admin tool in Apache Ranger before 0.6.1 allows remote authenticated administrators to inject arbitrary web script or HTML via vectors related to policies."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2016-09-26T13:57:01.000Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://cwiki.apache.org/confluence/display/RANGER/Vulnerabilities+found+in+Ranger"
            },
            {
              "name": "92577",
              "tags": [
                "vdb-entry",
                "x_refsource_BID"
              ],
              "url": "http://www.securityfocus.com/bid/92577"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "secalert@redhat.com",
              "ID": "CVE-2016-5395",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "n/a",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "n/a"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Cross-site scripting (XSS) vulnerability in the create user functionality in the policy admin tool in Apache Ranger before 0.6.1 allows remote authenticated administrators to inject arbitrary web script or HTML via vectors related to policies."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "n/a"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://cwiki.apache.org/confluence/display/RANGER/Vulnerabilities+found+in+Ranger",
                  "refsource": "CONFIRM",
                  "url": "https://cwiki.apache.org/confluence/display/RANGER/Vulnerabilities+found+in+Ranger"
                },
                {
                  "name": "92577",
                  "refsource": "BID",
                  "url": "http://www.securityfocus.com/bid/92577"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2016-5395",
        "datePublished": "2016-09-26T14:00:00.000Z",
        "dateReserved": "2016-06-10T00:00:00.000Z",
        "dateUpdated": "2024-08-06T01:00:59.855Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-59060 (GCVE-0-2025-59060)

    Vulnerability from cvelistv5 – Published: 2026-03-03 10:46 – Updated: 2026-03-03 14:49
    VLAI
    Title
    Apache Ranger: Hostname verification bypass in NiFiRegistryClient and NifiClient
    Summary
    Hostname verification bypass issue in Apache Ranger NiFiRegistryClient/NiFiClient is reported in Apache Ranger versions <= 2.7.0. Users are recommended to upgrade to version 2.8.0, which fixes this issue.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-297 - Improper Validation of Certificate with Host Mismatch
    Assigner
    Impacted products
    Vendor Product Version
    Apache Software Foundation Apache Ranger Affected: 0 , ≤ 2.7.0 (semver)
    Create a notification for this product.
    Credits
    Nikita Markevich <markevich.nikita1@gmail.com>
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2026-03-03T11:14:18.408Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "url": "http://www.openwall.com/lists/oss-security/2026/03/02/4"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 5.3,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "LOW",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-59060",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-03-03T14:47:44.951917Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-03-03T14:49:34.864Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Apache Ranger",
              "vendor": "Apache Software Foundation",
              "versions": [
                {
                  "lessThanOrEqual": "2.7.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Nikita Markevich \u003cmarkevich.nikita1@gmail.com\u003e"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eHostname verification bypass issue in Apache Ranger NiFiRegistryClient/NiFiClient is reported in Apache Ranger versions \u0026lt;= 2.7.0.\u003c/p\u003eUsers are recommended to upgrade to version 2.8.0, which fixes this issue."
                }
              ],
              "value": "Hostname verification bypass issue in Apache Ranger NiFiRegistryClient/NiFiClient is reported in Apache Ranger versions \u003c= 2.7.0.\n\nUsers are recommended to upgrade to version 2.8.0, which fixes this issue."
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "text": "low"
                },
                "type": "Textual description of severity"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-297",
                  "description": "CWE-297 Improper Validation of Certificate with Host Mismatch",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-03-03T10:46:52.382Z",
            "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
            "shortName": "apache"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.apache.org/thread/c4plx81z3xs86vgl3fd95y3q7hhtff05"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Apache Ranger: Hostname verification bypass in NiFiRegistryClient and NifiClient",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "assignerShortName": "apache",
        "cveId": "CVE-2025-59060",
        "datePublished": "2026-03-03T10:46:52.382Z",
        "dateReserved": "2025-09-08T18:55:29.925Z",
        "dateUpdated": "2026-03-03T14:49:34.864Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-59059 (GCVE-0-2025-59059)

    Vulnerability from cvelistv5 – Published: 2026-03-03 10:44 – Updated: 2026-03-03 14:54
    VLAI
    Title
    Apache Ranger: Remote Code Execution Vulnerability in NashornScriptEngineCreator
    Summary
    Remote Code Execution Vulnerability in NashornScriptEngineCreator is reported in Apache Ranger versions <= 2.7.0. Users are recommended to upgrade to version 2.8.0, which fixes this issue.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-94 - Improper Control of Generation of Code ('Code Injection')
    Assigner
    Impacted products
    Vendor Product Version
    Apache Software Foundation Apache Ranger Affected: 0 , ≤ 2.7.0 (semver)
    Create a notification for this product.
    Credits
    chengtianyi <chengtianyi@huawei.com>
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2026-03-03T11:14:16.410Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "url": "http://www.openwall.com/lists/oss-security/2026/03/02/5"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 9.8,
                  "baseSeverity": "CRITICAL",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-59059",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-03-03T14:53:28.058830Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-03-03T14:54:30.232Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Apache Ranger",
              "vendor": "Apache Software Foundation",
              "versions": [
                {
                  "lessThanOrEqual": "2.7.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "chengtianyi \u003cchengtianyi@huawei.com\u003e"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Remote Code Execution Vulnerability in NashornScriptEngineCreator is reported in Apache Ranger versions \u0026lt;= 2.7.0.\u003cbr\u003eUsers are recommended to upgrade to version 2.8.0, which fixes this issue."
                }
              ],
              "value": "Remote Code Execution Vulnerability in NashornScriptEngineCreator is reported in Apache Ranger versions \u003c= 2.7.0.\nUsers are recommended to upgrade to version 2.8.0, which fixes this issue."
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "text": "low"
                },
                "type": "Textual description of severity"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-94",
                  "description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-03-03T10:44:47.294Z",
            "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
            "shortName": "apache"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.apache.org/thread/z47q86rho80390lf2qcmoc2josvs0gtv"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Apache Ranger: Remote Code Execution Vulnerability in NashornScriptEngineCreator",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "assignerShortName": "apache",
        "cveId": "CVE-2025-59059",
        "datePublished": "2026-03-03T10:44:47.294Z",
        "dateReserved": "2025-09-08T18:36:43.801Z",
        "dateUpdated": "2026-03-03T14:54:30.232Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-55532 (GCVE-0-2024-55532)

    Vulnerability from cvelistv5 – Published: 2025-03-03 16:04 – Updated: 2025-03-04 16:10
    VLAI
    Title
    Apache Ranger: Improper Neutralization of Formula Elements in a CSV File
    Summary
    Improper Neutralization of Formula Elements in Export CSV feature of Apache Ranger in Apache Ranger Version < 2.6.0. Users are recommended to upgrade to version 2.6.0, which fixes this issue.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-1236 - Improper Neutralization of Formula Elements in a CSV File
    Assigner
    Impacted products
    Vendor Product Version
    Apache Software Foundation Apache Ranger Affected: 0 , ≤ 2.5.0 (semver)
    Create a notification for this product.
    Credits
    "김도균"<a2256014@naver.com>
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2025-03-03T18:03:23.427Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "url": "http://www.openwall.com/lists/oss-security/2025/03/03/2"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 9.8,
                  "baseSeverity": "CRITICAL",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-55532",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-03-04T16:08:29.686366Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-03-04T16:10:02.790Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Apache Ranger",
              "vendor": "Apache Software Foundation",
              "versions": [
                {
                  "lessThanOrEqual": "2.5.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "\"\uae40\ub3c4\uade0\"\u003ca2256014@naver.com\u003e"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Improper Neutralization of Formula Elements in Export CSV feature of Apache Ranger in Apache Ranger Version \u0026lt; 2.6.0.\u003cbr\u003eUsers are recommended to upgrade to version 2.6.0, which fixes this issue."
                }
              ],
              "value": "Improper Neutralization of Formula Elements in Export CSV feature of Apache Ranger in Apache Ranger Version \u003c 2.6.0.\nUsers are recommended to upgrade to version 2.6.0, which fixes this issue."
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "text": "low"
                },
                "type": "Textual description of severity"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-1236",
                  "description": "CWE-1236 Improper Neutralization of Formula Elements in a CSV File",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-03-03T16:17:56.227Z",
            "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
            "shortName": "apache"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://cwiki.apache.org/confluence/display/RANGER/Vulnerabilities+found+in+Ranger"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Apache Ranger: Improper Neutralization of Formula Elements in a CSV File",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "assignerShortName": "apache",
        "cveId": "CVE-2024-55532",
        "datePublished": "2025-03-03T16:04:54.856Z",
        "dateReserved": "2024-12-06T14:40:07.948Z",
        "dateUpdated": "2025-03-04T16:10:02.790Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-45479 (GCVE-0-2024-45479)

    Vulnerability from cvelistv5 – Published: 2025-01-21 21:26 – Updated: 2025-06-10 09:06
    VLAI
    Title
    Apache Ranger: SSRF in Edit Service page - Add logic to filter requests to localhost
    Summary
    SSRF vulnerability in Edit Service Page of Apache Ranger UI in Apache Ranger Version 2.4.0. Users are recommended to upgrade to version Apache Ranger 2.5.0, which fixes this issue.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-918 - Server-Side Request Forgery (SSRF)
    Assigner
    Impacted products
    Vendor Product Version
    Apache Software Foundation Apache Ranger Affected: 2.4.0 , < 2.5.0 (semver)
    Create a notification for this product.
    Credits
    Gyujin (biz@web-us.kr)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2025-01-21T22:02:49.988Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "url": "http://www.openwall.com/lists/oss-security/2025/01/21/4"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 9.1,
                  "baseSeverity": "CRITICAL",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-45479",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-01-22T14:43:56.539586Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-01-27T21:06:38.671Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Apache Ranger",
              "vendor": "Apache Software Foundation",
              "versions": [
                {
                  "lessThan": "2.5.0",
                  "status": "affected",
                  "version": "2.4.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Gyujin (biz@web-us.kr)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "SSRF vulnerability in Edit Service Page of Apache Ranger UI in Apache Ranger Version 2.4.0.\u003cbr\u003eUsers are recommended to upgrade to version Apache Ranger 2.5.0, which fixes this issue."
                }
              ],
              "value": "SSRF vulnerability in Edit Service Page of Apache Ranger UI in Apache Ranger Version 2.4.0.\nUsers are recommended to upgrade to version Apache Ranger 2.5.0, which fixes this issue."
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "text": "moderate"
                },
                "type": "Textual description of severity"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-918",
                  "description": "CWE-918 Server-Side Request Forgery (SSRF)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-06-10T09:06:33.435Z",
            "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
            "shortName": "apache"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://cwiki.apache.org/confluence/display/RANGER/Vulnerabilities+found+in+Ranger"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Apache Ranger: SSRF in Edit Service page - Add logic to filter requests to localhost",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "assignerShortName": "apache",
        "cveId": "CVE-2024-45479",
        "datePublished": "2025-01-21T21:26:16.500Z",
        "dateReserved": "2024-08-29T14:51:06.723Z",
        "dateUpdated": "2025-06-10T09:06:33.435Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-45478 (GCVE-0-2024-45478)

    Vulnerability from cvelistv5 – Published: 2025-01-21 21:25 – Updated: 2025-06-10 09:05
    VLAI
    Title
    Apache Ranger: Stored XSS in Edit Service page - Add logic to validate user input
    Summary
    Stored XSS vulnerability in Edit Service Page of Apache Ranger UI in Apache Ranger Version 2.4.0. Users are recommended to upgrade to version Apache Ranger 2.5.0, which fixes this issue.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Vendor Product Version
    Apache Software Foundation Apache Ranger Affected: 2.4.0 , < 2.5.0 (semver)
    Create a notification for this product.
    Credits
    Gyujin (biz@web-us.kr)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2025-01-21T22:02:48.006Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "url": "http://www.openwall.com/lists/oss-security/2025/01/21/3"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 4.8,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "LOW",
                  "integrityImpact": "LOW",
                  "privilegesRequired": "HIGH",
                  "scope": "CHANGED",
                  "userInteraction": "REQUIRED",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-45478",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-01-22T18:43:51.825307Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-01-22T18:52:12.206Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Apache Ranger",
              "vendor": "Apache Software Foundation",
              "versions": [
                {
                  "lessThan": "2.5.0",
                  "status": "affected",
                  "version": "2.4.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Gyujin (biz@web-us.kr)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Stored XSS vulnerability in Edit Service Page of Apache Ranger UI in Apache Ranger Version 2.4.0.\u003cbr\u003eUsers are recommended to upgrade to version Apache Ranger 2.5.0, which fixes this issue."
                }
              ],
              "value": "Stored XSS vulnerability in Edit Service Page of Apache Ranger UI in Apache Ranger Version 2.4.0.\nUsers are recommended to upgrade to version Apache Ranger 2.5.0, which fixes this issue."
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "text": "moderate"
                },
                "type": "Textual description of severity"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-06-10T09:05:27.590Z",
            "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
            "shortName": "apache"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://cwiki.apache.org/confluence/display/RANGER/Vulnerabilities+found+in+Ranger"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Apache Ranger: Stored XSS in Edit Service page - Add logic to validate user input",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "assignerShortName": "apache",
        "cveId": "CVE-2024-45478",
        "datePublished": "2025-01-21T21:25:58.276Z",
        "dateReserved": "2024-08-29T14:30:58.496Z",
        "dateUpdated": "2025-06-10T09:05:27.590Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-40331 (GCVE-0-2021-40331)

    Vulnerability from cvelistv5 – Published: 2023-05-05 07:55 – Updated: 2024-10-11 17:07
    VLAI
    Title
    Permissions problem in the Apache Ranger Hive Plugin
    Summary
    An Incorrect Permission Assignment for Critical Resource vulnerability was found in the Apache Ranger Hive Plugin. Any user with SELECT privilege on a database can alter the ownership of the table in Hive when Apache Ranger Hive Plugin is enabled This issue affects Apache Ranger Hive Plugin: from 2.0.0 through 2.3.0. Users are recommended to upgrade to version 2.4.0 or later.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-732 - Incorrect Permission Assignment for Critical Resource
    Assigner
    References
    Impacted products
    Vendor Product Version
    Apache Software Foundation Apache Ranger Hive Plugin Affected: 2.0.0 , ≤ 2.3.0 (semver)
    Create a notification for this product.
    apache ranger Affected: 2.0.0 , ≤ 2.3.0 (custom)
        cpe:2.3:a:apache:ranger:*:*:*:*:*:hive:*:*
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T02:27:31.979Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread/s68yls6cnkdmzn1k4hqt50vs6wjvt2rn"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:apache:ranger:*:*:*:*:*:hive:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "ranger",
                "vendor": "apache",
                "versions": [
                  {
                    "lessThanOrEqual": "2.3.0",
                    "status": "affected",
                    "version": "2.0.0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 8.1,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "LOW",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2021-40331",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-11T17:06:08.372365Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-11T17:07:19.817Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Apache Ranger Hive Plugin",
              "vendor": "Apache Software Foundation",
              "versions": [
                {
                  "lessThanOrEqual": "2.3.0",
                  "status": "affected",
                  "version": "2.0.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "An Incorrect Permission Assignment for Critical Resource vulnerability was found in the Apache Ranger Hive Plugin. Any user with SELECT privilege on a database can alter the ownership of the table in Hive when Apache Ranger Hive Plugin is enabled\u003cbr\u003e\u003cp\u003eThis issue affects Apache Ranger Hive Plugin: from 2.0.0 through 2.3.0. Users are recommended to upgrade to version 2.4.0 or later.\u003cbr\u003e\u003c/p\u003e"
                }
              ],
              "value": "An Incorrect Permission Assignment for Critical Resource vulnerability was found in the Apache Ranger Hive Plugin. Any user with SELECT privilege on a database can alter the ownership of the table in Hive when Apache Ranger Hive Plugin is enabled\nThis issue affects Apache Ranger Hive Plugin: from 2.0.0 through 2.3.0. Users are recommended to upgrade to version 2.4.0 or later.\n\n\n"
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "text": "critical"
                },
                "type": "Textual description of severity"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-732",
                  "description": "CWE-732 Incorrect Permission Assignment for Critical Resource",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-05-05T07:55:06.554Z",
            "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
            "shortName": "apache"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.apache.org/thread/s68yls6cnkdmzn1k4hqt50vs6wjvt2rn"
            }
          ],
          "source": {
            "defect": [
              "RANGER-3474",
              "RANGER-3357"
            ],
            "discovery": "UNKNOWN"
          },
          "title": "Permissions problem in the Apache Ranger Hive Plugin",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "assignerShortName": "apache",
        "cveId": "CVE-2021-40331",
        "datePublished": "2023-05-05T07:55:06.554Z",
        "dateReserved": "2021-08-31T09:23:23.832Z",
        "dateUpdated": "2024-10-11T17:07:19.817Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-45048 (GCVE-0-2022-45048)

    Vulnerability from cvelistv5 – Published: 2023-05-05 07:50 – Updated: 2024-10-15 18:12
    VLAI
    Title
    Apache Ranger: code execution vulnerability in policy expressions
    Summary
    Authenticated users with appropriate privileges can create policies having expressions that can exploit code execution vulnerability. This issue affects Apache Ranger: 2.3.0. Users are recommended to update to version 2.4.0.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
    Assigner
    References
    Impacted products
    Vendor Product Version
    Apache Software Foundation Apache Ranger Affected: 2.3.0
    Create a notification for this product.
    apache ranger Affected: 2.3.0
        cpe:2.3:a:apache:ranger:2.3.0:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    g1831767442@163.com
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T14:01:31.503Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread/6rpzwy1smdhr60tsh1ydknn3kdm45bb6"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:apache:ranger:2.3.0:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "ranger",
                "vendor": "apache",
                "versions": [
                  {
                    "status": "affected",
                    "version": "2.3.0"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 8.4,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "HIGH",
                  "scope": "CHANGED",
                  "userInteraction": "REQUIRED",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2022-45048",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-15T18:11:38.936548Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-15T18:12:43.127Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Apache Ranger",
              "vendor": "Apache Software Foundation",
              "versions": [
                {
                  "status": "affected",
                  "version": "2.3.0"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "g1831767442@163.com"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eAuthenticated users with appropriate privileges can create policies having expressions that can exploit code execution vulnerability.\u0026nbsp;This issue affects Apache Ranger: 2.3.0. Users are recommended to update to version 2.4.0.\u003cbr\u003e\u003c/p\u003e"
                }
              ],
              "value": "Authenticated users with appropriate privileges can create policies having expressions that can exploit code execution vulnerability.\u00a0This issue affects Apache Ranger: 2.3.0. Users are recommended to update to version 2.4.0.\n\n\n"
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.4,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-74",
                  "description": "CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-05-05T07:50:25.762Z",
            "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
            "shortName": "apache"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.apache.org/thread/6rpzwy1smdhr60tsh1ydknn3kdm45bb6"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Apache Ranger: code execution vulnerability in policy expressions",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "assignerShortName": "apache",
        "cveId": "CVE-2022-45048",
        "datePublished": "2023-05-05T07:50:25.762Z",
        "dateReserved": "2022-11-08T10:32:53.853Z",
        "dateUpdated": "2024-10-15T18:12:43.127Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2019-12397 (GCVE-0-2019-12397)

    Vulnerability from cvelistv5 – Published: 2019-08-08 17:06 – Updated: 2024-08-04 23:17
    VLAI
    Summary
    Policy import functionality in Apache Ranger 0.7.0 to 1.2.0 is vulnerable to a cross-site scripting issue. Upgrade to 2.0.0 or later version of Apache Ranger with the fix.
    Severity
    No CVSS data available.
    CWE
    • Cross-site scripting
    Assigner
    References
    Impacted products
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T23:17:40.107Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://cwiki.apache.org/confluence/display/RANGER/Vulnerabilities+found+in+Ranger"
              },
              {
                "name": "[oss-security] 20190808 CVE update - fixed in Apache Ranger 2.0.0",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "http://www.openwall.com/lists/oss-security/2019/08/08/1"
              },
              {
                "name": "[ranger-dev] 20191229 [jira] [Created] (RANGER-2681) CVE-2019-12397: Apache Ranger cross site scripting issue",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/ab2de1adad96f5dbd19d976b28715dfc60dbe75e82a74f48be8ef695%40%3Cdev.ranger.apache.org%3E"
              },
              {
                "name": "[ranger-dev] 20191229 [jira] [Updated] (RANGER-2681) CVE-2019-12397: Apache Ranger cross site scripting issue",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/cbc6346708ef2b9ffb2555637311bf6294923c609c029389fa39de8f%40%3Cdev.ranger.apache.org%3E"
              },
              {
                "name": "[ranger-dev] 20200121 [jira] [Resolved] (RANGER-2681) CVE-2019-12397: Apache Ranger cross site scripting issue",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/r04bc435a92911de4b52d2b98f169bd7cf2e8bbeb53b03788df8f932c%40%3Cdev.ranger.apache.org%3E"
              },
              {
                "name": "[ranger-dev] 20200121 [jira] [Commented] (RANGER-2681) CVE-2019-12397: Apache Ranger cross site scripting issue",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/rd88077a781ef38f7687c100f93992f4dda8aa101925050c4af470998%40%3Cdev.ranger.apache.org%3E"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Apache Ranger",
              "vendor": "Apache Software Foundation",
              "versions": [
                {
                  "status": "affected",
                  "version": "0.7.0 to 1.2.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Policy import functionality in Apache Ranger 0.7.0 to 1.2.0 is vulnerable to a cross-site scripting issue. Upgrade to 2.0.0 or later version of Apache Ranger with the fix."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Cross-site scripting",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2020-01-21T15:06:15.000Z",
            "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
            "shortName": "apache"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://cwiki.apache.org/confluence/display/RANGER/Vulnerabilities+found+in+Ranger"
            },
            {
              "name": "[oss-security] 20190808 CVE update - fixed in Apache Ranger 2.0.0",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "http://www.openwall.com/lists/oss-security/2019/08/08/1"
            },
            {
              "name": "[ranger-dev] 20191229 [jira] [Created] (RANGER-2681) CVE-2019-12397: Apache Ranger cross site scripting issue",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/ab2de1adad96f5dbd19d976b28715dfc60dbe75e82a74f48be8ef695%40%3Cdev.ranger.apache.org%3E"
            },
            {
              "name": "[ranger-dev] 20191229 [jira] [Updated] (RANGER-2681) CVE-2019-12397: Apache Ranger cross site scripting issue",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/cbc6346708ef2b9ffb2555637311bf6294923c609c029389fa39de8f%40%3Cdev.ranger.apache.org%3E"
            },
            {
              "name": "[ranger-dev] 20200121 [jira] [Resolved] (RANGER-2681) CVE-2019-12397: Apache Ranger cross site scripting issue",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/r04bc435a92911de4b52d2b98f169bd7cf2e8bbeb53b03788df8f932c%40%3Cdev.ranger.apache.org%3E"
            },
            {
              "name": "[ranger-dev] 20200121 [jira] [Commented] (RANGER-2681) CVE-2019-12397: Apache Ranger cross site scripting issue",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/rd88077a781ef38f7687c100f93992f4dda8aa101925050c4af470998%40%3Cdev.ranger.apache.org%3E"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@apache.org",
              "ID": "CVE-2019-12397",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Apache Ranger",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "0.7.0 to 1.2.0"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Apache Software Foundation"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Policy import functionality in Apache Ranger 0.7.0 to 1.2.0 is vulnerable to a cross-site scripting issue. Upgrade to 2.0.0 or later version of Apache Ranger with the fix."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Cross-site scripting"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://cwiki.apache.org/confluence/display/RANGER/Vulnerabilities+found+in+Ranger",
                  "refsource": "CONFIRM",
                  "url": "https://cwiki.apache.org/confluence/display/RANGER/Vulnerabilities+found+in+Ranger"
                },
                {
                  "name": "[oss-security] 20190808 CVE update - fixed in Apache Ranger 2.0.0",
                  "refsource": "MLIST",
                  "url": "http://www.openwall.com/lists/oss-security/2019/08/08/1"
                },
                {
                  "name": "[ranger-dev] 20191229 [jira] [Created] (RANGER-2681) CVE-2019-12397: Apache Ranger cross site scripting issue",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/ab2de1adad96f5dbd19d976b28715dfc60dbe75e82a74f48be8ef695@%3Cdev.ranger.apache.org%3E"
                },
                {
                  "name": "[ranger-dev] 20191229 [jira] [Updated] (RANGER-2681) CVE-2019-12397: Apache Ranger cross site scripting issue",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/cbc6346708ef2b9ffb2555637311bf6294923c609c029389fa39de8f@%3Cdev.ranger.apache.org%3E"
                },
                {
                  "name": "[ranger-dev] 20200121 [jira] [Resolved] (RANGER-2681) CVE-2019-12397: Apache Ranger cross site scripting issue",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/r04bc435a92911de4b52d2b98f169bd7cf2e8bbeb53b03788df8f932c@%3Cdev.ranger.apache.org%3E"
                },
                {
                  "name": "[ranger-dev] 20200121 [jira] [Commented] (RANGER-2681) CVE-2019-12397: Apache Ranger cross site scripting issue",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/rd88077a781ef38f7687c100f93992f4dda8aa101925050c4af470998@%3Cdev.ranger.apache.org%3E"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "assignerShortName": "apache",
        "cveId": "CVE-2019-12397",
        "datePublished": "2019-08-08T17:06:43.000Z",
        "dateReserved": "2019-05-28T00:00:00.000Z",
        "dateUpdated": "2024-08-04T23:17:40.107Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2018-11778 (GCVE-0-2018-11778)

    Vulnerability from cvelistv5 – Published: 2018-10-05 19:00 – Updated: 2024-09-17 03:18
    VLAI
    Summary
    UnixAuthenticationService in Apache Ranger 1.2.0 was updated to correctly handle user input to avoid Stack-based buffer overflow. Versions prior to 1.2.0 should be upgraded to 1.2.0
    Severity
    No CVSS data available.
    CWE
    • Overflow
    Assigner
    References
    Impacted products
    Date Public
    2018-10-04 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T08:17:09.211Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://cwiki.apache.org/confluence/display/RANGER/Vulnerabilities+found+in+Ranger"
              },
              {
                "name": "[oss-security] 20181004 CVE update - fixed in Apache Ranger 1.2.0",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://seclists.org/oss-sec/2018/q4/11"
              },
              {
                "name": "[ranger-dev] 20200121 [jira] [Resolved] (RANGER-2681) CVE-2019-12397: Apache Ranger cross site scripting issue",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/r04bc435a92911de4b52d2b98f169bd7cf2e8bbeb53b03788df8f932c%40%3Cdev.ranger.apache.org%3E"
              },
              {
                "name": "[ranger-dev] 20200121 [jira] [Commented] (RANGER-2681) CVE-2019-12397: Apache Ranger cross site scripting issue",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/rd88077a781ef38f7687c100f93992f4dda8aa101925050c4af470998%40%3Cdev.ranger.apache.org%3E"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Apache Ranger",
              "vendor": "Apache Software Foundation",
              "versions": [
                {
                  "status": "affected",
                  "version": "prior to 1.2.0"
                }
              ]
            }
          ],
          "datePublic": "2018-10-04T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "UnixAuthenticationService in Apache Ranger 1.2.0 was updated to correctly handle user input to avoid Stack-based buffer overflow. Versions prior to 1.2.0 should be upgraded to 1.2.0"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Overflow",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2020-01-21T15:06:15.000Z",
            "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
            "shortName": "apache"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://cwiki.apache.org/confluence/display/RANGER/Vulnerabilities+found+in+Ranger"
            },
            {
              "name": "[oss-security] 20181004 CVE update - fixed in Apache Ranger 1.2.0",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://seclists.org/oss-sec/2018/q4/11"
            },
            {
              "name": "[ranger-dev] 20200121 [jira] [Resolved] (RANGER-2681) CVE-2019-12397: Apache Ranger cross site scripting issue",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/r04bc435a92911de4b52d2b98f169bd7cf2e8bbeb53b03788df8f932c%40%3Cdev.ranger.apache.org%3E"
            },
            {
              "name": "[ranger-dev] 20200121 [jira] [Commented] (RANGER-2681) CVE-2019-12397: Apache Ranger cross site scripting issue",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/rd88077a781ef38f7687c100f93992f4dda8aa101925050c4af470998%40%3Cdev.ranger.apache.org%3E"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@apache.org",
              "DATE_PUBLIC": "2018-10-04T00:00:00",
              "ID": "CVE-2018-11778",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Apache Ranger",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "prior to 1.2.0"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Apache Software Foundation"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "UnixAuthenticationService in Apache Ranger 1.2.0 was updated to correctly handle user input to avoid Stack-based buffer overflow. Versions prior to 1.2.0 should be upgraded to 1.2.0"
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Overflow"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://cwiki.apache.org/confluence/display/RANGER/Vulnerabilities+found+in+Ranger",
                  "refsource": "CONFIRM",
                  "url": "https://cwiki.apache.org/confluence/display/RANGER/Vulnerabilities+found+in+Ranger"
                },
                {
                  "name": "[oss-security] 20181004 CVE update - fixed in Apache Ranger 1.2.0",
                  "refsource": "MLIST",
                  "url": "https://seclists.org/oss-sec/2018/q4/11"
                },
                {
                  "name": "[ranger-dev] 20200121 [jira] [Resolved] (RANGER-2681) CVE-2019-12397: Apache Ranger cross site scripting issue",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/r04bc435a92911de4b52d2b98f169bd7cf2e8bbeb53b03788df8f932c@%3Cdev.ranger.apache.org%3E"
                },
                {
                  "name": "[ranger-dev] 20200121 [jira] [Commented] (RANGER-2681) CVE-2019-12397: Apache Ranger cross site scripting issue",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/rd88077a781ef38f7687c100f93992f4dda8aa101925050c4af470998@%3Cdev.ranger.apache.org%3E"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "assignerShortName": "apache",
        "cveId": "CVE-2018-11778",
        "datePublished": "2018-10-05T19:00:00.000Z",
        "dateReserved": "2018-06-05T00:00:00.000Z",
        "dateUpdated": "2024-09-17T03:18:51.761Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2016-6815 (GCVE-0-2016-6815)

    Vulnerability from cvelistv5 – Published: 2017-10-13 14:00 – Updated: 2024-09-17 04:14
    VLAI
    Summary
    In Apache Ranger before 0.6.2, users with "keyadmin" role should not be allowed to change password for users with "admin" role.
    Severity
    No CVSS data available.
    CWE
    • Incorrect Privileges
    Assigner
    References
    Impacted products
    Vendor Product Version
    Apache Software Foundation Apache Ranger Affected: 0.5.x
    Affected: 0.6.0
    Affected: 0.6.1
    Create a notification for this product.
    Date Public
    2016-11-06 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-06T01:43:37.907Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "94221",
                "tags": [
                  "vdb-entry",
                  "x_refsource_BID",
                  "x_transferred"
                ],
                "url": "http://www.securityfocus.com/bid/94221"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://cwiki.apache.org/confluence/display/RANGER/Vulnerabilities+found+in+Ranger"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Apache Ranger",
              "vendor": "Apache Software Foundation",
              "versions": [
                {
                  "status": "affected",
                  "version": "0.5.x"
                },
                {
                  "status": "affected",
                  "version": "0.6.0"
                },
                {
                  "status": "affected",
                  "version": "0.6.1"
                }
              ]
            }
          ],
          "datePublic": "2016-11-06T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "In Apache Ranger before 0.6.2, users with \"keyadmin\" role should not be allowed to change password for users with \"admin\" role."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Incorrect Privileges",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2017-10-14T09:57:01.000Z",
            "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
            "shortName": "apache"
          },
          "references": [
            {
              "name": "94221",
              "tags": [
                "vdb-entry",
                "x_refsource_BID"
              ],
              "url": "http://www.securityfocus.com/bid/94221"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://cwiki.apache.org/confluence/display/RANGER/Vulnerabilities+found+in+Ranger"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@apache.org",
              "DATE_PUBLIC": "2016-11-06T00:00:00",
              "ID": "CVE-2016-6815",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Apache Ranger",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "0.5.x"
                              },
                              {
                                "version_value": "0.6.0"
                              },
                              {
                                "version_value": "0.6.1"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Apache Software Foundation"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "In Apache Ranger before 0.6.2, users with \"keyadmin\" role should not be allowed to change password for users with \"admin\" role."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Incorrect Privileges"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "94221",
                  "refsource": "BID",
                  "url": "http://www.securityfocus.com/bid/94221"
                },
                {
                  "name": "https://cwiki.apache.org/confluence/display/RANGER/Vulnerabilities+found+in+Ranger",
                  "refsource": "CONFIRM",
                  "url": "https://cwiki.apache.org/confluence/display/RANGER/Vulnerabilities+found+in+Ranger"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "assignerShortName": "apache",
        "cveId": "CVE-2016-6815",
        "datePublished": "2017-10-13T14:00:00.000Z",
        "dateReserved": "2016-08-12T00:00:00.000Z",
        "dateUpdated": "2024-09-17T04:14:03.099Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2016-8751 (GCVE-0-2016-8751)

    Vulnerability from cvelistv5 – Published: 2017-06-14 17:00 – Updated: 2024-08-06 02:35
    VLAI
    Summary
    Apache Ranger before 0.6.3 is vulnerable to a Stored Cross-Site Scripting in when entering custom policy conditions. Admin users can store some arbitrary javascript code to be executed when normal users login and access policies.
    Severity
    No CVSS data available.
    CWE
    • CSS
    Assigner
    References
    Impacted products
    Vendor Product Version
    Apache Software Foundation Apache Ranger Affected: 0.5.x
    Affected: 0.6.0 - 0.6.2
    Create a notification for this product.
    Date Public
    2017-02-01 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-06T02:35:00.223Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "99067",
                "tags": [
                  "vdb-entry",
                  "x_refsource_BID",
                  "x_transferred"
                ],
                "url": "http://www.securityfocus.com/bid/99067"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://cwiki.apache.org/confluence/display/RANGER/Vulnerabilities+found+in+Ranger"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Apache Ranger",
              "vendor": "Apache Software Foundation",
              "versions": [
                {
                  "status": "affected",
                  "version": "0.5.x"
                },
                {
                  "status": "affected",
                  "version": "0.6.0 - 0.6.2"
                }
              ]
            }
          ],
          "datePublic": "2017-02-01T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Apache Ranger before 0.6.3 is vulnerable to a Stored Cross-Site Scripting in when entering custom policy conditions. Admin users can store some arbitrary javascript code to be executed when normal users login and access policies."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "CSS",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2019-02-20T19:57:01.000Z",
            "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
            "shortName": "apache"
          },
          "references": [
            {
              "name": "99067",
              "tags": [
                "vdb-entry",
                "x_refsource_BID"
              ],
              "url": "http://www.securityfocus.com/bid/99067"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://cwiki.apache.org/confluence/display/RANGER/Vulnerabilities+found+in+Ranger"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@apache.org",
              "ID": "CVE-2016-8751",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Apache Ranger",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "0.5.x"
                              },
                              {
                                "version_value": "0.6.0 - 0.6.2"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Apache Software Foundation"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Apache Ranger before 0.6.3 is vulnerable to a Stored Cross-Site Scripting in when entering custom policy conditions. Admin users can store some arbitrary javascript code to be executed when normal users login and access policies."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CSS"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "99067",
                  "refsource": "BID",
                  "url": "http://www.securityfocus.com/bid/99067"
                },
                {
                  "name": "https://cwiki.apache.org/confluence/display/RANGER/Vulnerabilities+found+in+Ranger",
                  "refsource": "CONFIRM",
                  "url": "https://cwiki.apache.org/confluence/display/RANGER/Vulnerabilities+found+in+Ranger"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "assignerShortName": "apache",
        "cveId": "CVE-2016-8751",
        "datePublished": "2017-06-14T17:00:00.000Z",
        "dateReserved": "2016-10-18T00:00:00.000Z",
        "dateUpdated": "2024-08-06T02:35:00.223Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2017-7677 (GCVE-0-2017-7677)

    Vulnerability from cvelistv5 – Published: 2017-06-14 17:00 – Updated: 2024-08-05 16:12
    VLAI
    Summary
    In environments that use external location for hive tables, Hive Authorizer in Apache Ranger before 0.7.1 should be checking RWX permission for create table.
    Severity
    No CVSS data available.
    CWE
    • Authorization
    Assigner
    References
    Impacted products
    Vendor Product Version
    Apache Software Foundation Apache Ranger Affected: 0.5.x
    Affected: 0.6.x
    Affected: 0.7.0
    Create a notification for this product.
    Date Public
    2017-06-07 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T16:12:27.880Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "98961",
                "tags": [
                  "vdb-entry",
                  "x_refsource_BID",
                  "x_transferred"
                ],
                "url": "http://www.securityfocus.com/bid/98961"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://cwiki.apache.org/confluence/display/RANGER/Vulnerabilities+found+in+Ranger"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Apache Ranger",
              "vendor": "Apache Software Foundation",
              "versions": [
                {
                  "status": "affected",
                  "version": "0.5.x"
                },
                {
                  "status": "affected",
                  "version": "0.6.x"
                },
                {
                  "status": "affected",
                  "version": "0.7.0"
                }
              ]
            }
          ],
          "datePublic": "2017-06-07T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "In environments that use external location for hive tables, Hive Authorizer in Apache Ranger before 0.7.1 should be checking RWX permission for create table."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Authorization",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2017-06-15T09:57:01.000Z",
            "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
            "shortName": "apache"
          },
          "references": [
            {
              "name": "98961",
              "tags": [
                "vdb-entry",
                "x_refsource_BID"
              ],
              "url": "http://www.securityfocus.com/bid/98961"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://cwiki.apache.org/confluence/display/RANGER/Vulnerabilities+found+in+Ranger"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@apache.org",
              "ID": "CVE-2017-7677",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Apache Ranger",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "0.5.x"
                              },
                              {
                                "version_value": "0.6.x"
                              },
                              {
                                "version_value": "0.7.0"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Apache Software Foundation"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "In environments that use external location for hive tables, Hive Authorizer in Apache Ranger before 0.7.1 should be checking RWX permission for create table."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Authorization"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "98961",
                  "refsource": "BID",
                  "url": "http://www.securityfocus.com/bid/98961"
                },
                {
                  "name": "https://cwiki.apache.org/confluence/display/RANGER/Vulnerabilities+found+in+Ranger",
                  "refsource": "CONFIRM",
                  "url": "https://cwiki.apache.org/confluence/display/RANGER/Vulnerabilities+found+in+Ranger"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "assignerShortName": "apache",
        "cveId": "CVE-2017-7677",
        "datePublished": "2017-06-14T17:00:00.000Z",
        "dateReserved": "2017-04-11T00:00:00.000Z",
        "dateUpdated": "2024-08-05T16:12:27.880Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2016-8746 (GCVE-0-2016-8746)

    Vulnerability from cvelistv5 – Published: 2017-06-14 17:00 – Updated: 2024-08-06 02:34
    VLAI
    Summary
    Apache Ranger before 0.6.3 policy engine incorrectly matches paths in certain conditions when policy does not contain wildcards and has recursion flag set to true.
    Severity
    No CVSS data available.
    CWE
    • Authorization
    Assigner
    References
    Impacted products
    Date Public
    2017-02-01 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-06T02:34:59.604Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "95998",
                "tags": [
                  "vdb-entry",
                  "x_refsource_BID",
                  "x_transferred"
                ],
                "url": "http://www.securityfocus.com/bid/95998"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://cwiki.apache.org/confluence/display/RANGER/Vulnerabilities+found+in+Ranger"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Apache Ranger",
              "vendor": "Apache Software Foundation",
              "versions": [
                {
                  "status": "affected",
                  "version": "0.6.0 - 0.6.2"
                }
              ]
            }
          ],
          "datePublic": "2017-02-01T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Apache Ranger before 0.6.3 policy engine incorrectly matches paths in certain conditions when policy does not contain wildcards and has recursion flag set to true."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Authorization",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2017-06-15T09:57:01.000Z",
            "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
            "shortName": "apache"
          },
          "references": [
            {
              "name": "95998",
              "tags": [
                "vdb-entry",
                "x_refsource_BID"
              ],
              "url": "http://www.securityfocus.com/bid/95998"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://cwiki.apache.org/confluence/display/RANGER/Vulnerabilities+found+in+Ranger"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@apache.org",
              "ID": "CVE-2016-8746",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Apache Ranger",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "0.6.0 - 0.6.2"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Apache Software Foundation"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Apache Ranger before 0.6.3 policy engine incorrectly matches paths in certain conditions when policy does not contain wildcards and has recursion flag set to true."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Authorization"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "95998",
                  "refsource": "BID",
                  "url": "http://www.securityfocus.com/bid/95998"
                },
                {
                  "name": "https://cwiki.apache.org/confluence/display/RANGER/Vulnerabilities+found+in+Ranger",
                  "refsource": "CONFIRM",
                  "url": "https://cwiki.apache.org/confluence/display/RANGER/Vulnerabilities+found+in+Ranger"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "assignerShortName": "apache",
        "cveId": "CVE-2016-8746",
        "datePublished": "2017-06-14T17:00:00.000Z",
        "dateReserved": "2016-10-18T00:00:00.000Z",
        "dateUpdated": "2024-08-06T02:34:59.604Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2017-7676 (GCVE-0-2017-7676)

    Vulnerability from cvelistv5 – Published: 2017-06-14 17:00 – Updated: 2024-08-05 16:12
    VLAI
    Summary
    Policy resource matcher in Apache Ranger before 0.7.1 ignores characters after '*' wildcard character - like my*test, test*.txt. This can result in unintended behavior.
    Severity
    No CVSS data available.
    CWE
    • Authorization
    Assigner
    References
    Impacted products
    Vendor Product Version
    Apache Software Foundation Apache Ranger Affected: 0.5.x
    Affected: 0.6.x
    Affected: 0.7.0
    Create a notification for this product.
    Date Public
    2017-06-07 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T16:12:27.762Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://cwiki.apache.org/confluence/display/RANGER/Vulnerabilities+found+in+Ranger"
              },
              {
                "name": "98958",
                "tags": [
                  "vdb-entry",
                  "x_refsource_BID",
                  "x_transferred"
                ],
                "url": "http://www.securityfocus.com/bid/98958"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Apache Ranger",
              "vendor": "Apache Software Foundation",
              "versions": [
                {
                  "status": "affected",
                  "version": "0.5.x"
                },
                {
                  "status": "affected",
                  "version": "0.6.x"
                },
                {
                  "status": "affected",
                  "version": "0.7.0"
                }
              ]
            }
          ],
          "datePublic": "2017-06-07T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Policy resource matcher in Apache Ranger before 0.7.1 ignores characters after \u0027*\u0027 wildcard character - like my*test, test*.txt. This can result in unintended behavior."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Authorization",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2017-06-15T09:57:01.000Z",
            "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
            "shortName": "apache"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://cwiki.apache.org/confluence/display/RANGER/Vulnerabilities+found+in+Ranger"
            },
            {
              "name": "98958",
              "tags": [
                "vdb-entry",
                "x_refsource_BID"
              ],
              "url": "http://www.securityfocus.com/bid/98958"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@apache.org",
              "ID": "CVE-2017-7676",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Apache Ranger",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "0.5.x"
                              },
                              {
                                "version_value": "0.6.x"
                              },
                              {
                                "version_value": "0.7.0"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Apache Software Foundation"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Policy resource matcher in Apache Ranger before 0.7.1 ignores characters after \u0027*\u0027 wildcard character - like my*test, test*.txt. This can result in unintended behavior."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Authorization"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://cwiki.apache.org/confluence/display/RANGER/Vulnerabilities+found+in+Ranger",
                  "refsource": "CONFIRM",
                  "url": "https://cwiki.apache.org/confluence/display/RANGER/Vulnerabilities+found+in+Ranger"
                },
                {
                  "name": "98958",
                  "refsource": "BID",
                  "url": "http://www.securityfocus.com/bid/98958"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "assignerShortName": "apache",
        "cveId": "CVE-2017-7676",
        "datePublished": "2017-06-14T17:00:00.000Z",
        "dateReserved": "2017-04-11T00:00:00.000Z",
        "dateUpdated": "2024-08-05T16:12:27.762Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2016-5395 (GCVE-0-2016-5395)

    Vulnerability from cvelistv5 – Published: 2016-09-26 14:00 – Updated: 2024-08-06 01:00
    VLAI
    Summary
    Cross-site scripting (XSS) vulnerability in the create user functionality in the policy admin tool in Apache Ranger before 0.6.1 allows remote authenticated administrators to inject arbitrary web script or HTML via vectors related to policies.
    Severity
    No CVSS data available.
    CWE
    • n/a
    Assigner
    References
    Date Public
    2016-08-22 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-06T01:00:59.855Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://cwiki.apache.org/confluence/display/RANGER/Vulnerabilities+found+in+Ranger"
              },
              {
                "name": "92577",
                "tags": [
                  "vdb-entry",
                  "x_refsource_BID",
                  "x_transferred"
                ],
                "url": "http://www.securityfocus.com/bid/92577"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "datePublic": "2016-08-22T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Cross-site scripting (XSS) vulnerability in the create user functionality in the policy admin tool in Apache Ranger before 0.6.1 allows remote authenticated administrators to inject arbitrary web script or HTML via vectors related to policies."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2016-09-26T13:57:01.000Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://cwiki.apache.org/confluence/display/RANGER/Vulnerabilities+found+in+Ranger"
            },
            {
              "name": "92577",
              "tags": [
                "vdb-entry",
                "x_refsource_BID"
              ],
              "url": "http://www.securityfocus.com/bid/92577"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "secalert@redhat.com",
              "ID": "CVE-2016-5395",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "n/a",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "n/a"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Cross-site scripting (XSS) vulnerability in the create user functionality in the policy admin tool in Apache Ranger before 0.6.1 allows remote authenticated administrators to inject arbitrary web script or HTML via vectors related to policies."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "n/a"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://cwiki.apache.org/confluence/display/RANGER/Vulnerabilities+found+in+Ranger",
                  "refsource": "CONFIRM",
                  "url": "https://cwiki.apache.org/confluence/display/RANGER/Vulnerabilities+found+in+Ranger"
                },
                {
                  "name": "92577",
                  "refsource": "BID",
                  "url": "http://www.securityfocus.com/bid/92577"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2016-5395",
        "datePublished": "2016-09-26T14:00:00.000Z",
        "dateReserved": "2016-06-10T00:00:00.000Z",
        "dateUpdated": "2024-08-06T01:00:59.855Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }