Common Vulnerabilities and Exposures
CVE-2016-5395: Apache Ranger Stored Cross Site Scripting vulnerability
Severity: Moderate
Vendor: Hortonworks
Versions Affected: All HDP 2.3/2.4 versions including Apache Ranger versions 0.5.x
Users Affected: All users of ranger policy admin tool.
Impact: Apache Ranger was found to be vulnerable to a Stored Cross-Site Scripting in the create user functionality. Admin users can store some arbitrary javascript code to be executed when normal users login and access policies. See RANGER-1124.
Fix detail: Added logic to sanitize the user input.
Recommended Action: Users should upgrade to HDP 2.5+ (with Apache Ranger 0.6.1+)