Note |
---|
Before reporting any security related JIRAs, please go through Apache's guidance for VULNERABILITY HANDLING |
Fixed in Ranger 0.6.3
...
CVE-2016-8746: Apache Ranger path matching issue in policy evaluation
Severity: Normal
Vendor: The Apache Software Foundation
Versions Affected: 0.6.0/0.6.1/0.6.2 versions of Apache Ranger
Users affected: All users of ranger policy admin tool
Description: Ranger policy engine incorrectly matches paths in certain conditions when policy does not contain wildcards and has recursion flag set to true.
Fix detail: Fixed policy evaluation logic.
Mitigation: Users should upgrade to 0.6.3 or later version of Apache Ranger with the fix.
...
CVE-2016-8751: Apache Ranger stored cross site scripting issue
Severity: Normal
Vendor: The Apache Software Foundation
Versions Affected: 0.5.x and 0.6.0/0.6.1/0.6.2 versions of Apache Ranger
Users affected: All users of ranger policy admin tool
Description: Apache Ranger was found to be vulnerable to a Stored Cross-Site Scripting in when entering custom policy conditions. Admin users can store some arbitrary javascript code to be executed when normal users login and access policies.
Fix detail: Added logic to sanitize the user input.
Mitigation: Users should upgrade to 0.6.3 or later version of Apache Ranger with the fix.
Fixed in Ranger 0.6.2
...
CVE-2016-6815: Apache Ranger user privilege vulnerability
...