Ranger
by Apache
CVEs (10)
| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2017-7676 | Cri | 0.64 | 9.8 | 0.01 | Jun 14, 2017 | Policy resource matcher in Apache Ranger before 0.7.1 ignores characters after '*' wildcard character - like my*test, test*.txt. This can result in unintended behavior. | |
| CVE-2016-0733 | Cri | 0.64 | 9.8 | 0.02 | Apr 12, 2016 | The Admin UI in Apache Ranger before 0.5.1 does not properly handle authentication requests that lack a password, which allows remote attackers to bypass authentication by leveraging knowledge of a valid username. | |
| CVE-2016-0735 | Hig | 0.50 | 8.8 | 0.00 | Apr 11, 2016 | Apache Ranger 0.5.x before 0.5.2 allows remote authenticated users to bypass intended parent resource-level access restrictions by leveraging mishandling of a resource-level exclude policy. | |
| CVE-2015-0266 | Hig | 0.46 | 7.1 | 0.00 | Apr 11, 2016 | The Policy Admin Tool in Apache Ranger before 0.5.0 allows remote authenticated users to bypass intended access restrictions via direct access to module URLs. | |
| CVE-2016-6815 | Med | 0.42 | 6.5 | 0.00 | Oct 13, 2017 | In Apache Ranger before 0.6.2, users with "keyadmin" role should not be allowed to change password for users with "admin" role. | |
| CVE-2015-5167 | Med | 0.42 | 6.5 | 0.00 | Apr 12, 2016 | The Policy Admin Tool in Apache Ranger before 0.5.1 allows remote authenticated users to bypass intended access restrictions via the REST API. | |
| CVE-2015-0265 | Med | 0.40 | 6.1 | 0.02 | Apr 11, 2016 | Cross-site scripting (XSS) vulnerability in the Policy Admin Tool in Apache Ranger before 0.5.0 allows remote attackers to inject arbitrary web script or HTML via the HTTP User-Agent header. | |
| CVE-2017-7677 | Med | 0.38 | 5.9 | 0.00 | Jun 14, 2017 | In environments that use external location for hive tables, Hive Authorizer in Apache Ranger before 0.7.1 should be checking RWX permission for create table. | |
| CVE-2016-8751 | Med | 0.31 | 4.8 | 0.00 | Jun 14, 2017 | Apache Ranger before 0.6.3 is vulnerable to a Stored Cross-Site Scripting in when entering custom policy conditions. Admin users can store some arbitrary javascript code to be executed when normal users login and access policies. | |
| CVE-2016-8746 | Med | 0.31 | 5.9 | 0.01 | Jun 14, 2017 | Apache Ranger before 0.6.3 policy engine incorrectly matches paths in certain conditions when policy does not contain wildcards and has recursion flag set to true. |
- risk 0.64cvss 9.8epss 0.01
Policy resource matcher in Apache Ranger before 0.7.1 ignores characters after '*' wildcard character - like my*test, test*.txt. This can result in unintended behavior.
- risk 0.64cvss 9.8epss 0.02
The Admin UI in Apache Ranger before 0.5.1 does not properly handle authentication requests that lack a password, which allows remote attackers to bypass authentication by leveraging knowledge of a valid username.
- risk 0.50cvss 8.8epss 0.00
Apache Ranger 0.5.x before 0.5.2 allows remote authenticated users to bypass intended parent resource-level access restrictions by leveraging mishandling of a resource-level exclude policy.
- risk 0.46cvss 7.1epss 0.00
The Policy Admin Tool in Apache Ranger before 0.5.0 allows remote authenticated users to bypass intended access restrictions via direct access to module URLs.
- risk 0.42cvss 6.5epss 0.00
In Apache Ranger before 0.6.2, users with "keyadmin" role should not be allowed to change password for users with "admin" role.
- risk 0.42cvss 6.5epss 0.00
The Policy Admin Tool in Apache Ranger before 0.5.1 allows remote authenticated users to bypass intended access restrictions via the REST API.
- risk 0.40cvss 6.1epss 0.02
Cross-site scripting (XSS) vulnerability in the Policy Admin Tool in Apache Ranger before 0.5.0 allows remote attackers to inject arbitrary web script or HTML via the HTTP User-Agent header.
- risk 0.38cvss 5.9epss 0.00
In environments that use external location for hive tables, Hive Authorizer in Apache Ranger before 0.7.1 should be checking RWX permission for create table.
- risk 0.31cvss 4.8epss 0.00
Apache Ranger before 0.6.3 is vulnerable to a Stored Cross-Site Scripting in when entering custom policy conditions. Admin users can store some arbitrary javascript code to be executed when normal users login and access policies.
- risk 0.31cvss 5.9epss 0.01
Apache Ranger before 0.6.3 policy engine incorrectly matches paths in certain conditions when policy does not contain wildcards and has recursion flag set to true.