Before reporting any security related JIRAs, please go through Apache's guidance for VULNERABILITY HANDLING
Fixed in Ranger 0.6.3
CVE-2016-8746: Apache Ranger path matching issue in policy evaluation
Severity: Normal
Vendor: The Apache Software Foundation
Versions Affected: 0.6.0/0.6.1/0.6.2 versions of Apache Ranger
Users affected: All users of ranger policy admin tool
Description: Ranger policy engine incorrectly matches paths in certain conditions when policy does not contain wildcards and has recursion flag set to true.
Fix detail: Fixed policy evaluation logic.
Mitigation: Users should upgrade to 0.6.3 or later version of Apache Ranger with the fix.
CVE-2016-8751: Apache Ranger stored cross site scripting issue
Severity: Normal
Vendor: The Apache Software Foundation
Versions Affected: 0.5.x and 0.6.0/0.6.1/0.6.2 versions of Apache Ranger
Users affected: All users of ranger policy admin tool
Description: Apache Ranger was found to be vulnerable to a Stored Cross-Site Scripting in when entering custom policy conditions. Admin users can store some arbitrary javascript code to be executed when normal users login and access policies.
Fix detail: Added logic to sanitize the user input.
Mitigation: Users should upgrade to 0.6.3 or later version of Apache Ranger with the fix.
Fixed in Ranger 0.6.2
CVE-2016-6815: Apache Ranger user privilege vulnerability
Severity: Normal
Vendor: The Apache Software Foundation
Versions Affected: All 0.5.x versions or 0.6.0/0.6.1 versions of Apache Ranger
Users affected: All users of ranger policy admin tool
Description: Users with "keyadmin" role should not be allowed to change password for users with "admin" role.
Fix detail: Added logic to validate the user privilege in the backend.
Mitigation: Users should upgrade to 0.6.2 or later version of Apache Ranger with the fix.
Fixed in Ranger 0.6.1
CVE-2016-5395: Apache Ranger Stored Cross Site Scripting vulnerability
Severity: Normal
Vendor: The Apache Software Foundation
Versions Affected: All 0.5.x versions of Apache Ranger and version 0.6.0
Users Affected: All users of ranger policy admin tool
Description: Apache Ranger was found to be vulnerable to a Stored Cross-Site Scripting in the create user functionality. Admin users can store some arbitrary javascript code to be executed when normal users login and access policies.
Fix details: Added logic to sanitize the user input
Mitigation: Users should upgrade to 0.6.1 or later version of Apache Ranger with the fix.
Credit: Thanks to Victor Hora from Securus Global for reporting this issue.
Fixed in Ranger 0.5.3
CVE-2016-2174: Apache Ranger sql injection vulnerability
Severity: Normal
Vendor: The Apache Software Foundation
Versions Affected: All versions of Apache Ranger from 0.5.0 (up to 0.5.3)
Users Affected: All admin users of ranger policy admin tool
Description: SQL Injection vulnerability in Audit > Access tab. When the user clicks an element from policyId row of the list, there is a call made underneath with eventTime parameter which contains the vulnerability. Admin users can send some arbitrary sql code to be executed along with eventTime parameter using /service/plugins/policies/eventTime url.
Fix details: Replaced native queries with JPA named queries
Mitigation: Users should upgrade to 0.5.3 version of Apache Ranger with the fix.
Credit: Thanks to Mateusz Olejarka from SecuRing for reporting this issue.
Fixed in Ranger 0.5.1
CVE-2015-5167: Restrict REST API data access for non-admin users
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected: 0.4.0 and 0.5.0 version of Apache Ranger
Users affected: All users of ranger policy admin tool
Description: Data access restrictions via REST API are not consistent with
restrictions in policy admin UI.
Mitigation: Users should upgrade to Ranger 0.5.1 version
CVE-2016-0733: Ranger Admin authentication issue
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected: 0.4.0 and 0.5.0 version of Apache Ranger
Users affected: All users of ranger policy admin tool
Description: Malicious Users can gain access to ranger admin UI without
proper authentication
Mitigation: Users should upgrade to Ranger 0.5.1 version
Fixed in Ranger 0.5.0
CVE-2015-0265: Apache Ranger code injection vulnerability
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected: 0.4.0 version of Apache Ranger
Users affected: All admin users of ranger policy admin tool
Description: Unauthorized users can send some javascript code to be executed in ranger policy admin tool admin sessions
Fix detail: Added logic to sanitize the user input
Mitigation: Users should upgrade to 0.5.0+ version of Apache Ranger with the fix
Credit: Thanks to Jakub Kałużny from SecuRing for reporting this issue
CVE-2015-0266: Apache Ranger direct url access vulnerability
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected: 0.4.0 version of Apache Ranger
Users affected: All users of ranger policy admin tool
Description: Regular users can type in the URL of modules that are accessible only to admin users
Fix detail: Added logic in the backend to verify user access
Mitigation: Users should upgrade to 0.5.0+ version of Apache Ranger with the fix
Credit: Thanks to Jakub Kałużny from SecuRing for reporting this issue