Note |
---|
Before reporting any security related JIRAs, please go through Apache's guidance for VULNERABILITY HANDLING |
Fixed in Ranger 0.6.2
...
CVE-2016-6815: Apache Ranger user privilege vulnerability
Severity: Normal
Vendor: The Apache Software Foundation
Versions Affected: All 0.5.x versions or 0.6.0/0.6.1 versions of Apache Ranger
Users affected: All users of ranger policy admin tool
Description: Users with "keyadmin" role should not be allowed to change password for users with "admin" role.
Fix detail: Added logic to validate the user privilege in the backend.
Mitigation: Users should upgrade to 0.6.2 or later version of Apache Ranger with the fix.
Fixed in Ranger 0.6.1
...
CVE-2016-5395: Apache Ranger Stored Cross Site Scripting vulnerability
...