You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@ranger.apache.org by Velmurugan Periasamy <ve...@apache.org> on 2015/08/05 22:37:04 UTC

CVEs fixed in Ranger 0.5

Ranger Community:

Please see below details.

CVE-2015-0265: Apache Ranger code injection vulnerability
----------------------------------------------------------------------------
---
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected: 0.4.0 version of Apache Ranger
Users affected: All admin users of ranger policy admin tool
Description: Unauthorized users can send some javascript code to be executed
in ranger policy admin tool admin sessions
Fix detail: Added logic to sanitize the user input
Mitigation: Users should upgrade to 0.5.0+ version of Apache Ranger with the
fix
Credit: Thanks to Jakub Kałużny from SecuRing for reporting this issue

CVE-2015-0266: Apache Ranger direct url access vulnerability
----------------------------------------------------------------------------
-----
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected: 0.4.0 version of Apache Ranger
Users affected: All users of ranger policy admin tool
Description: Regular users can type in the URL of modules that are
accessible only to admin users
Fix detail: Added logic in the backend to verify user access
Mitigation: Users should upgrade to 0.5.0+ version of Apache Ranger with the
fix
Credit: Thanks to Jakub Kałużny from SecuRing for reporting this issue

Thank you,
Vel