org.apache.ranger:ranger (Maven) — known CVEs & security advisories
Known CVE vulnerabilities and GitHub Security Advisories affecting the Maven package org.apache.ranger:ranger, with affected version ranges, CVSS severity, EPSS exploit prediction, and CISA KEV status.
CVEs (16)
CVE-2016-0733 — CVSS 9.8 (critical): The Admin UI in Apache Ranger before 0.5.1 does not properly handle authentication requests that lack a password, which allows remote…
CVE-2017-7676 — CVSS 9.8 (critical): Policy resource matcher in Apache Ranger before 0.7.1 ignores characters after '*' wildcard character - like my*test, test*.txt. This can…
CVE-2024-45479 — CVSS 9.1 (critical): SSRF vulnerability in Edit Service Page of Apache Ranger UI in Apache Ranger Version 2.4.0. Users are recommended to upgrade to version…
CVE-2018-11778 — CVSS 8.8 (high): UnixAuthenticationService in Apache Ranger 1.2.0 was updated to correctly handle user input to avoid Stack-based buffer overflow. Versions…
CVE-2022-45048 — CVSS 8.4 (high): Authenticated users with appropriate privileges can create policies having expressions that can exploit code execution vulnerability. This…
CVE-2016-2174 — CVSS 7.2 (high): SQL injection vulnerability in the policy admin tool in Apache Ranger before 0.5.3 allows remote authenticated administrators to execute…
CVE-2015-0266 — CVSS 7.1 (high): The Policy Admin Tool in Apache Ranger before 0.5.0 allows remote authenticated users to bypass intended access restrictions via direct…
CVE-2015-5167 — CVSS 6.5 (medium): The Policy Admin Tool in Apache Ranger before 0.5.1 allows remote authenticated users to bypass intended access restrictions via the REST…
CVE-2016-6815 — CVSS 6.5 (medium): In Apache Ranger before 0.6.2, users with "keyadmin" role should not be allowed to change password for users with "admin" role.
CVE-2015-0265 — CVSS 6.1 (medium): Cross-site scripting (XSS) vulnerability in the Policy Admin Tool in Apache Ranger before 0.5.0 allows remote attackers to inject arbitrary…
CVE-2019-12397 — CVSS 6.1 (medium): Policy import functionality in Apache Ranger 0.7.0 to 1.2.0 is vulnerable to a cross-site scripting issue. Upgrade to 2.0.0 or later…
CVE-2017-7677 — CVSS 5.9 (medium): In environments that use external location for hive tables, Hive Authorizer in Apache Ranger before 0.7.1 should be checking RWX permission…
CVE-2016-5395 — CVSS 4.8 (medium): Cross-site scripting (XSS) vulnerability in the create user functionality in the policy admin tool in Apache Ranger before 0.6.1 allows…
CVE-2016-8751 — CVSS 4.8 (medium): Apache Ranger before 0.6.3 is vulnerable to a Stored Cross-Site Scripting in when entering custom policy conditions. Admin users can store…
CVE-2024-45478 — CVSS 4.8 (medium): Stored XSS vulnerability in Edit Service Page of Apache Ranger UI in Apache Ranger Version 2.4.0. Users are recommended to upgrade to…