You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ranger.apache.org by Velmurugan Periasamy <ve...@apache.org> on 2017/02/01 19:08:50 UTC

CVE update - fixed in Apache Ranger 0.6.3

Hello:

Please find below details on CVEs fixed in Ranger 0.6.3 release. Release details can be found at https://cwiki.apache.org/confluence/display/RANGER/0.6.3+Release+-+Apache+Ranger <https://cwiki.apache.org/confluence/display/RANGER/0.6.3+Release+-+Apache+Ranger>

Thank you,
Velmurugan Periasamy

-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
CVE-2016-8746: Apache Ranger path matching issue in policy evaluation
Severity: Normal
Vendor: The Apache Software Foundation
Versions Affected: 0.6.0/0.6.1/0.6.2 versions of Apache Ranger
Users affected: All users of ranger policy admin tool
Description: Ranger policy engine incorrectly matches paths in certain conditions when policy does not contain wildcards and has recursion flag set to true.
Fix detail: Fixed policy evaluation logic.
Mitigation: Users should upgrade to 0.6.3 or later version of Apache Ranger with the fix.
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
CVE-2016-8751: Apache Ranger stored cross site scripting issue
Severity: Normal
Vendor: The Apache Software Foundation
Versions Affected: 0.5.x and 0.6.0/0.6.1/0.6.2 versions of Apache Ranger
Users affected: All users of ranger policy admin tool
Description: Apache Ranger was found to be vulnerable to a Stored Cross-Site Scripting in when entering custom policy conditions. Admin users can store 
some arbitrary javascript code to be executed when normal users login and access policies.
Fix detail: Added logic to sanitize the user input.
Mitigation: Users should upgrade to 0.6.3 or later version of Apache Ranger with the fix.
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------