Note |
---|
Before reporting any security related JIRAs, please go through Apache's guidance for VULNERABILITY HANDLING |
Fixed in Ranger 0.5.3
...
CVE-2016-2174: Apache Ranger sql injection vulnerability
Severity: Normal
Vendor: The Apache Software Foundation
Versions Affected: All versions of Apache Ranger from 0.5.0 (up to 0.5.3)
Users Affected: All admin users of ranger policy admin tool
Description: SQL Injection vulnerability in Audit > Access tab. When the user clicks an element from policyId row of the list, there is a call made underneath with eventTime parameter which contains the vulnerability. Admin users can send some arbitrary sql code to be executed along with eventTime parameter using /service/plugins/policies/eventTime url.
Fix details: Replaced native queries with JPA named queries
Mitigation: Users should upgrade to 0.5.3 version of Apache Ranger with the fix.
Credit: Thanks to Mateusz Olejarka from SecuRing for reporting this issue.
Fixed in Ranger 0.5.1
...
CVE-2015-5167: Restrict REST API data access for non-admin users
...