Medium severity5.9NVD Advisory· Published Jun 14, 2017· Updated May 13, 2026

CVE-2016-8746

Description

Apache Ranger before 0.6.3 policy engine incorrectly matches paths in certain conditions when policy does not contain wildcards and has recursion flag set to true.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.apache.ranger:ranger-plugins-commonMaven	< 0.6.3	0.6.3

Affected products

Apache/Ranger
cpe:2.3:a:apache:ranger:*:*:*:*:*:*:*:*
Range: <=0.6.2
Apache Software Foundation/Apache Rangerv5
Range: 0.6.0 - 0.6.2

Patches

2fcd7f7cc175

RANGER-1229: fix resource-matcher to correctly handle policy containing only one resource whose value is '*'

https://github.com/apache/rangerAbhay KulkarniNov 29, 2016via ghsa

commit

4 files changed · +89 −2

agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerAbstractResourceMatcher.java+1 −1 modified

@@ -267,7 +267,7 @@ public boolean applyExcludes(boolean allValuesRequested, boolean resultWithoutEx
 	ResourceMatcher getMatcher(String policyValue) {
 		final int len = policyValue != null ? policyValue.length() : 0;
 
-		if (len == 0 || (optWildCard && policyValue.equals(WILDCARD_ASTERISK))) {
+		if (len == 0) {
 			return null;
 		}

agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerPathResourceMatcher.java+6 −1 modified

@@ -92,10 +92,15 @@ ResourceMatcher getMatcher(String policyValue) {
 
 		final int len = policyValue != null ? policyValue.length() : 0;
 
-		if (len == 0 || (optWildCard && policyValue.equals(WILDCARD_ASTERISK))) {
+		if (len == 0) {
 			return null;
 		}
 
+		// To ensure that when policyValue is single '*', ResourceMatcher created here returns true for isMatchAny()
+		if (optWildCard && policyValue.equals(WILDCARD_ASTERISK)) {
+			return new CaseInsensitiveStringMatcher("");
+		}
+
 		boolean isWildcardPresent = false;
 
 		if (optWildCard) {

agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java+7 −0 modified

@@ -214,6 +214,13 @@ public void testPolicyEngine_hbase() {
 		runTestsFromResourceFiles(hbaseTestResourceFiles);
 	}
 
+	@Test
+	public void testPolicyEngine_hbase_with_multiple_matching_policies() {
+		String[] hbaseTestResourceFiles = { "/policyengine/test_policyengine_hbase_multiple_matching_policies.json" };
+
+		runTestsFromResourceFiles(hbaseTestResourceFiles);
+	}
+
 	@Test
 	public void testPolicyEngine_conditions() {
 		String[] conditionsTestResourceFiles = { "/policyengine/test_policyengine_conditions.json" };

agents-common/src/test/resources/policyengine/test_policyengine_hbase_multiple_matching_policies.json+75 −0 added

@@ -0,0 +1,75 @@
+{
+  "serviceName":"hbasedev",
+
+  "serviceDef":{
+    "name":"hbase",
+    "id":2,
+    "resources":[
+      {"name":"table","level":1,"parent":"","mandatory":true,"lookupSupported":true,"matcher":"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher","matcherOptions":{"wildCard":true, "ignoreCase":true},"label":"HBase Table","description":"HBase Table"},
+      {"name":"column-family","level":2,"parent":"table","mandatory":true,"lookupSupported":true,"matcher":"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher","matcherOptions":{"wildCard":true, "ignoreCase":true},"label":"HBase Column-Family","description":"HBase Column-Family"},
+      {"name":"column","level":3,"parent":"column-family","mandatory":true,"lookupSupported":true,"matcher":"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher","matcherOptions":{"wildCard":true, "ignoreCase":true},"label":"HBase Column","description":"HBase Column"}
+    ],
+    "accessTypes":[
+      {"name":"read","label":"Read"},
+      {"name":"write","label":"Write"},
+      {"name":"create","label":"Create"},
+      {"name":"admin","label":"Admin","impliedGrants":["read","write","create"]}
+    ]
+  },
+
+  "policies":[
+    {"id":1,"name":"table=default,*; column-family=default,*; column=default, *: audit-all-access","isEnabled":true,"isAuditEnabled":true,
+     "resources":{"table":{"values":["default", "*"]},"column-family":{"values":["default", "*"]}, "column":{"values":["default", "*"]}},
+     "policyItems":[
+       {"accesses":[{"type":"read","isAllowed":true},{"type":"write","isAllowed":true}, {"type":"create", "isAllowed":true},
+         {"type":"admin", "isAllowed":true}],"users":["user1"],"groups":[],"delegateAdmin":false}
+       ,
+       {"accesses":[{"type":"read","isAllowed":true}],"users":["hrt_qa"],"groups":[],"delegateAdmin":false}
+     ]
+    }
+    ,
+    {"id":2,"name":"table=*; column-family=*; column=*: audit-all-access","isEnabled":true,"isAuditEnabled":true,
+      "resources":{"table":{"values":["*"]},"column-family":{"values":["*"]}, "column":{"values":["*"]}},
+      "policyItems":[
+        {"accesses":[{"type":"read","isAllowed":true},{"type":"write","isAllowed":true}, {"type":"create", "isAllowed":true},
+          {"type":"admin", "isAllowed":true}],"users":["user1"],"groups":[],"delegateAdmin":false}
+      ,
+        {"accesses":[{"type":"read","isAllowed":true}, {"type":"write", "isAllowed":true}],"users":["hrt_qa"],"groups":[],"delegateAdmin":false}
+      ]
+    }
+  ],
+
+  "tests":[
+    {"name":"TEST!!! ALLOW 'scan finance restricted-cf;' for hrt_qa",
+      "request":{
+        "resource":{"elements":{"table":"finance","column-family":"restricted-cf"}},
+        "accessType":"read","user":"hrt_qa","userGroups":[],"requestData":"scan finance restricted-cf; for hrt_qa"
+      },
+      "result":{"isAudited":true,"isAllowed":true,"policyId":1}
+    }
+  ,
+    {"name":"TEST!!! ALLOW 'put finance restricted-cf;' for hrt_qa",
+     "request":{
+      "resource":{"elements":{"table":"finance","column-family":"restricted-cf"}},
+      "accessType":"write","user":"hrt_qa","userGroups":[],"requestData":"put finance restricted-cf; for hrt_qa"
+     },
+     "result":{"isAudited":true,"isAllowed":true,"policyId":2}
+    },
+    {"name":"TEST!!! DENY 'create finance restricted-cf;' for hrt_qa",
+      "request":{
+        "resource":{"elements":{"table":"finance","column-family":"restricted-cf"}},
+        "accessType":"create","user":"hrt_qa","userGroups":[],"requestData":"create finance restricted-cf; for hrt_qa"
+      },
+      "result":{"isAudited":true,"isAllowed":false,"policyId":-1}
+    }
+    ,
+    {"name":"TEST!!! ALLOW 'create finance restricted-cf;' for user1",
+      "request":{
+        "resource":{"elements":{"table":"finance","column-family":"restricted-cf"}},
+        "accessType":"create","user":"user1","userGroups":[],"requestData":"create finance restricted-cf; for user1"
+      },
+      "result":{"isAudited":true,"isAllowed":true,"policyId":1}
+    }
+  ]
+}
+

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

www.securityfocus.com/bid/95998nvdThird Party AdvisoryVDB EntryWEB
cwiki.apache.org/confluence/display/RANGER/Vulnerabilities+found+in+RangernvdRelease NotesVendor AdvisoryWEB
github.com/advisories/GHSA-xv7x-x6wr-xx7gghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2016-8746ghsaADVISORY
github.com/apache/ranger/commit/2fcd7f7cc175c0734443638b99c359e24c0f88ffghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.384
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000