Common Vulnerabilities and Exposures
The following information-security vulnerabilities and exposures (CVEs) were fixed as part of HDP 2.4.2.
CVE-2016-2174: Apache Ranger SQL injection vulnerability
Severity: Moderate
Vendor: Hortonworks
Versions Affected: All HDP 2.3.x and 2.4.x versions including Apache Ranger versions 0.5.0, 0.5.1, and 0.5.2.
Users Affected: All admin users of ranger policy admin tool.
Impact: SQL Injection vulnerability in > tab. When the user clicks an element from policyId row of the list, there is a call made underneath with
eventTime
parameter which contains the vulnerability. Admin users can send some arbitrary SQL code to be executed along witheventTime
parameter using/service/plugins/policies/eventTime/
URL. See BUG-55856, BUG-55857 and BUG-55858Recommended Action: Upgrade to HDP 2.4.2+ (with Apache Ranger 0.5.2+).