CVE-2019-12397
Description
Policy import functionality in Apache Ranger 0.7.0 to 1.2.0 is vulnerable to a cross-site scripting issue. Upgrade to 2.0.0 or later version of Apache Ranger with the fix.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A stored Cross-Site Scripting (XSS) vulnerability in Apache Ranger's policy import functionality affects versions 0.7.0 to 1.2.0, fixed in 2.0.0.
Vulnerability
Description
The policy import functionality in Apache Ranger versions 0.7.0 through 1.2.0 is vulnerable to a Cross-Site Scripting (XSS) issue. This allows an attacker to inject malicious scripts into the policy import process. The vulnerability is present in the policy admin tool, which is used to import policies into Apache Ranger [1][3].
Exploitation
An attacker with access to the policy import functionality can craft a malicious policy containing XSS payload. When an administrator imports this policy via the web interface, the injected script executes in the context of the administrator's browser. The attacker does not require authentication to import policies; however, the victim must be an authenticated admin using the policy admin tool [1][3].
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the browser of an authenticated administrator. This can lead to session hijacking, manipulation of Ranger policies, or unauthorized actions performed on behalf of the victim. The vulnerability is stored, meaning the injected script persists and may affect all users who view the imported policy [1][3].
Mitigation
The vulnerability is fixed in Apache Ranger 2.0.0 and later versions. Users running versions 0.7.0 to 1.2.0 must upgrade to at least 2.0.0. The fix involves proper input validation during policy import [1][3]. As of the publication date, the vendor advisory confirms the fix is available in the 2.0.0 release [2][3].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.ranger:rangerMaven | >= 0.7.0, < 2.0.0 | 2.0.0 |
Affected products
2- Apache Software Foundation/Apache Rangerv5Range: 0.7.0 to 1.2.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
10- github.com/advisories/GHSA-fpqp-v323-44xvghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-12397ghsaADVISORY
- www.openwall.com/lists/oss-security/2019/08/08/1ghsamailing-listx_refsource_MLISTWEB
- cwiki.apache.org/confluence/display/RANGER/Vulnerabilities+found+in+Rangerghsax_refsource_CONFIRMWEB
- lists.apache.org/thread.html/ab2de1adad96f5dbd19d976b28715dfc60dbe75e82a74f48be8ef695%40%3Cdev.ranger.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/ab2de1adad96f5dbd19d976b28715dfc60dbe75e82a74f48be8ef695@%3Cdev.ranger.apache.org%3EghsaWEB
- lists.apache.org/thread.html/cbc6346708ef2b9ffb2555637311bf6294923c609c029389fa39de8f%40%3Cdev.ranger.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/cbc6346708ef2b9ffb2555637311bf6294923c609c029389fa39de8f@%3Cdev.ranger.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r04bc435a92911de4b52d2b98f169bd7cf2e8bbeb53b03788df8f932c%40%3Cdev.ranger.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/rd88077a781ef38f7687c100f93992f4dda8aa101925050c4af470998%40%3Cdev.ranger.apache.org%3Emitremailing-listx_refsource_MLIST
News mentions
0No linked articles in our index yet.