oss-sec mailing list archives
CVE update (CVE-2016-5395) - Fixed in Apache Ranger 0.6.1
From: Velmurugan Periasamy <vel () apache org>
Date: Mon, 22 Aug 2016 10:42:09 -0400
Hello: HereĀ¹s a CVE update for Ranger 0.6.1 release. Please see below details. Release details can be found at https://cwiki.apache.org/confluence/display/RANGER/0.6.1+Release+-+Apache+Ra nger Thank you, Velmurugan Periasamy ---------------------------------------------------------------------------- ------------------- CVE-2016-5395: Apache Ranger Stored Cross Site Scripting vulnerability ---------------------------------------------------------------------------- ------------------- Severity: Normal Vendor: The Apache Software Foundation Versions Affected: All 0.5.x versions of Apache Ranger and version 0.6.0 Users Affected: All users of ranger policy admin tool Description: Apache Ranger was found to be vulnerable to a Stored Cross-Site Scripting in the create user functionality. Admin users can store some arbitrary javascript code to be executed when normal users login and access policies. Fix details: Added logic to sanitize the user input Mitigation: Users should upgrade to 0.6.1 or later version of Apache Ranger with the fix. Credit: Thanks to Victor Hora from Securus Global for reporting this issue. ---------------------------------------------------------------------------- -------------------
Current thread:
- CVE update (CVE-2016-5395) - Fixed in Apache Ranger 0.6.1 Velmurugan Periasamy (Aug 22)