Apache Ranger: Stored XSS in Edit Service page - Add logic to validate user input

Vulnerability

Description

CVE-2024-45478 is a stored cross-site scripting (XSS) vulnerability found in the Edit Service Page of Apache Ranger UI, affecting Apache Ranger version 2.4.0 [2]. The root cause is insufficient validation of user-supplied input when editing service configurations, allowing an attacker to store arbitrary JavaScript code that will execute in the context of other users who view the affected page [1].

Exploitation

An attacker with access to the Apache Ranger policy admin UI can exploit this flaw by injecting malicious scripts into service fields during the editing process [4]. No special privileges beyond normal administrative access to the Ranger interface are required; the payload is stored on the server and delivered to any user—including other administrators—who navigates to the Edit Service page [1][4].

Impact

Successful exploitation enables the attacker to execute arbitrary JavaScript in the victim's browser session. This can lead to session hijacking, theft of authentication cookies, unauthorized modifications to Ranger policies, and further compromise of the data security controls managed by Apache Ranger [1].

Mitigation

Apache has released version 2.5.0, which adds proper input validation logic to prevent this stored XSS issue [1][2]. Users running Apache Ranger 2.4.0 are strongly recommended to upgrade to 2.5.0 or later [4]. No workarounds other than upgrading have been indicated by the vendor [1][2].