You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@ranger.apache.org by Velmurugan Periasamy <ve...@apache.org> on 2019/08/08 16:15:54 UTC

CVE update - fixed in Apache Ranger 2.0.0

Hello:

Please find below details on CVE fixed in Ranger 2.0.0 release. Release details can be found at https://cwiki.apache.org/confluence/display/RANGER/2.0.0+Release+-+Apache+Ranger

———————————————————————————————————————————————————
CVE-2019-12397: Apache Ranger cross site scripting issue
Severity: Normal
Vendor: The Apache Software Foundation
Versions Affected: 0.7.0 to 1.2.0 versions of Apache Ranger, prior to 2.0.0
Users affected: All users of ranger policy admin tool
Description: Apache Ranger was found to be vulnerable to a Cross-Site Scripting in policy import functionality. 
Fix detail: Added logic to sanitize the user input.
Mitigation: Users should upgrade to 2.0.0 or later version of Apache Ranger with the fix.
Credit: Jan Kaszycki from STM Solutions
———————————————————————————————————————————————————

Thank you,
Velmurugan Periasamy