oss-sec mailing list archives
CVEs fixed in Ranger 0.5
From: Velmurugan Periasamy <vel () apache org>
Date: Wed, 05 Aug 2015 16:37:04 -0400
Ranger Community: Please see below details. CVE-2015-0265: Apache Ranger code injection vulnerability ---------------------------------------------------------------------------- --- Severity: Important Vendor: The Apache Software Foundation Versions Affected: 0.4.0 version of Apache Ranger Users affected: All admin users of ranger policy admin tool Description: Unauthorized users can send some javascript code to be executed in ranger policy admin tool admin sessions Fix detail: Added logic to sanitize the user input Mitigation: Users should upgrade to 0.5.0+ version of Apache Ranger with the fix Credit: Thanks to Jakub Kałużny from SecuRing for reporting this issue CVE-2015-0266: Apache Ranger direct url access vulnerability ---------------------------------------------------------------------------- ----- Severity: Important Vendor: The Apache Software Foundation Versions Affected: 0.4.0 version of Apache Ranger Users affected: All users of ranger policy admin tool Description: Regular users can type in the URL of modules that are accessible only to admin users Fix detail: Added logic in the backend to verify user access Mitigation: Users should upgrade to 0.5.0+ version of Apache Ranger with the fix Credit: Thanks to Jakub Kałużny from SecuRing for reporting this issue Thank you, Vel
Current thread:
- CVEs fixed in Ranger 0.5 Velmurugan Periasamy (Aug 05)