You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ranger.apache.org by Velmurugan Periasamy <ve...@apache.org> on 2016/02/05 07:00:53 UTC
CVE update (CVE-2015-5167 & CVE-2016-0733) - Fixed in Ranger 0.5.1
Hello:
HereĀ¹s a CVE update for Ranger 0.5.1 release. Please see below details.
Thank you,
Velmurugan Periasamy
--------------------------------------------------------------------------
CVE-2015-5167: Restrict REST API data access for non-admin users
--------------------------------------------------------------------------
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected: 0.4.0 and 0.5.0 version of Apache Ranger
Users affected: All users of ranger policy admin tool
Description: Data access restrictions via REST API are not consistent with
restrictions in policy admin UI.
Mitigation: Users should upgrade to Ranger 0.5.1 version
--------------------------------------------------------------------------
CVE-2016-0733: Ranger Admin authentication issue
--------------------------------------------------------------------------
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected: 0.4.0 and 0.5.0 version of Apache Ranger
Users affected: All users of ranger policy admin tool
Description: Malicious Users can gain access to ranger admin UI without
proper authentication
Mitigation: Users should upgrade to Ranger 0.5.1 version
--------------------------------------------------------------------------