VYPR
← All advisories
High severity8.8NVD Advisory· Published Apr 11, 2016· Updated May 6, 2026

CVE-2016-0735

CVE-2016-0735

Description

Apache Ranger 0.5.x before 0.5.2 allows remote authenticated users to bypass intended parent resource-level access restrictions by leveraging mishandling of a resource-level exclude policy.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.apache.ranger:rangerMaven
>= 0.5.0, < 0.5.20.5.2

Affected products

2
  • Apache/Ranger2 versions
    cpe:2.3:a:apache:ranger:0.5.0:*:*:*:*:*:*:*+ 1 more
    • cpe:2.3:a:apache:ranger:0.5.0:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:ranger:0.5.1:*:*:*:*:*:*:*

Patches

1
18f216d0201e

RANGER-834 Correct the excludes flag's treatment when resource value denotes everything

https://github.com/apache/rangerAlok LalFeb 1, 2016via ghsa
commit
5 files changed · +124 8
  • agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerAbstractResourceMatcher.java+28 0 modified
    @@ -222,4 +222,32 @@ public StringBuilder toString(StringBuilder sb) {
 
 		return sb;
 	}
+
+	/**
+	 * Is resource asking to authorize all possible values at this level?
+	 * @param resource
+	 * @return
+	 */
+	boolean isAllValuesRequested(String resource) {
+		boolean result = StringUtils.isEmpty(resource) || WILDCARD_ASTERISK.equals(resource);
+		if (LOG.isDebugEnabled()) {
+			LOG.debug("isAllValuesRequested(" + resource + "): " + result);
+		}
+		return result;
+	}
+
+	/**
+	 * The only case where excludes flag does NOT change the result is the following:
+	 * - Resource denotes all possible values (i.e. resource in (null, "", "*")
+	 * - where as policy does not allow all possible values (i.e. policy.values().contains("*")
+	 *
+	 * @param allValuesRequested
+	 * @param resultWithoutExcludes
+     * @return
+     */
+	public boolean applyExcludes(boolean allValuesRequested, boolean resultWithoutExcludes) {
+		if (!policyIsExcludes) return resultWithoutExcludes;                   // not an excludes policy!
+		if (allValuesRequested && !isMatchAny)  return resultWithoutExcludes;  // one case where excludes has no effect
+		return !resultWithoutExcludes;                                         // all other cases flip it
+	}
 }
  • agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerDefaultResourceMatcher.java+3 4 modified
    @@ -37,8 +37,9 @@ public boolean isMatch(String resource) {
 		}
 
 		boolean ret = false;
+		boolean allValuesRequested = isAllValuesRequested(resource);
 
-		if(resource == null || isMatchAny) {
+		if(allValuesRequested || isMatchAny) {
 			ret = isMatchAny;
 		} else {
 			for(String policyValue : policyValues) {
@@ -56,9 +57,7 @@ public boolean isMatch(String resource) {
 			}
 		}
 
-		if(policyIsExcludes) {
-			ret = !ret;
-		}
+		ret = applyExcludes(allValuesRequested, ret);
 
 		if(LOG.isDebugEnabled()) {
 			LOG.debug("<== RangerDefaultResourceMatcher.isMatch(" + resource + "): " + ret);
  • agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerPathResourceMatcher.java+3 4 modified
    @@ -78,8 +78,9 @@ public boolean isMatch(String resource) {
 		}
 
 		boolean ret = false;
+		boolean allValuesRequested = isAllValuesRequested(resource);
 
-		if(resource == null || isMatchAny) {
+		if(allValuesRequested || isMatchAny) {
 			ret = isMatchAny;
 		} else {
 			IOCase caseSensitivity = optIgnoreCase ? IOCase.INSENSITIVE : IOCase.SENSITIVE;
@@ -103,9 +104,7 @@ public boolean isMatch(String resource) {
 			}
 		}
 
-		if(policyIsExcludes) {
-			ret = !ret;
-		}
+		ret = applyExcludes(allValuesRequested, ret);
 
 		if(LOG.isDebugEnabled()) {
 			LOG.debug("<== RangerPathResourceMatcher.isMatch(" + resource + "): " + ret);
  • agents-common/src/test/java/org/apache/ranger/plugin/resourcematcher/RangerAbstractResourceMatcherTest.java+32 0 added
    @@ -0,0 +1,32 @@
+package org.apache.ranger.plugin.resourcematcher;
+
+import org.junit.Test;
+
+import static org.junit.Assert.*;
+
+/**
+ * Created by alal on 1/29/16.
+ */
+public class RangerAbstractResourceMatcherTest {
+
+    @Test
+    public void test_isAllPossibleValues() {
+        RangerAbstractResourceMatcher matcher = new AbstractMatcherWrapper();
+        for (String resource : new String[] { null, "", "*"}) {
+            assertTrue(matcher.isAllValuesRequested(resource));
+        }
+
+        for (String resource : new String[] { " ", "\t", "\n", "foo"}) {
+            assertFalse(matcher.isAllValuesRequested(resource));
+        }
+    }
+
+    static class AbstractMatcherWrapper extends RangerAbstractResourceMatcher {
+
+        @Override
+        public boolean isMatch(String resource) {
+            fail("This method is not expected to be used by test!");
+            return false;
+        }
+    }
+}
\ No newline at end of file
  • agents-common/src/test/java/org/apache/ranger/plugin/resourcematcher/RangerDefaultResourceMatcherTest.java+58 0 added
    @@ -0,0 +1,58 @@
+package org.apache.ranger.plugin.resourcematcher;
+
+import com.google.common.collect.Lists;
+import org.junit.Test;
+
+import static org.junit.Assert.*;
+
+/**
+ * Created by alal on 2/1/16.
+ */
+public class RangerDefaultResourceMatcherTest {
+
+    Object[][] data = {
+            // { resource, policy, excludes, result
+            { "*",  "*",  false, true },  // resource is all values
+            { "*",  "*",  true,  false },
+            { "*",  "a*", false, false }, // but, policy is not match any
+            { "*",  "a*", true,  false }, // ==> compare with above: exclude flag has no effect here
+            { "a*", "a",  false, false }, // resource has regex marker!
+            { "a*", "a",  true,  true },
+            { "a",  "a",  false, true },  // exact match
+            { "a",  "a",  true,  false },
+            { "a1", "a*", false, true },  // trivial regex match
+            { "a1", "a*", true,  false },
+    };
+
+    @Test
+    public void testIsMatch() throws Exception {
+        for (Object[] row : data) {
+            String resource = (String)row[0];
+            String policyValue = (String)row[1];
+            boolean excludes = (boolean)row[2];
+            boolean result = (boolean)row[3];
+
+            MatcherWrapper matcher = new MatcherWrapper(policyValue, excludes);
+            assertEquals(getMessage(row), result, matcher.isMatch(resource));
+        }
+    }
+
+    String getMessage(Object[] row) {
+        return String.format("Resource=%s, Policy=%s, excludes=%s, result=%s",
+                (String)row[0], (String)row[1], (boolean)row[2], (boolean)row[3]);
+    }
+
+    static class MatcherWrapper extends RangerDefaultResourceMatcher {
+        MatcherWrapper(String policyValue, boolean exclude) {
+            this.policyValues = Lists.newArrayList(policyValue);
+            if (WILDCARD_ASTERISK.equals(policyValue)) {
+                this.isMatchAny = true;
+            }
+            if (policyValue.contains(WILDCARD_ASTERISK)) {
+                this.optWildCard = true;
+            }
+            this.policyIsExcludes = exclude;
+        }
+    }
+
+}
\ No newline at end of file

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.