Release Notes
Also available as:

Common Vulnerabilities and Exposures

  • CVE-2016-5395: Apache Ranger Stored Cross Site Scripting vulnerability

    Severity: Moderate

    Vendor: Hortonworks

    Versions Affected: All HDP 2.3/2.4 versions including Apache Ranger versions 0.5.x

    Users Affected: All users of ranger policy admin tool.

    Impact: Apache Ranger was found to be vulnerable to a Stored Cross-Site Scripting in the create user functionality. Admin users can store some arbitrary javascript code to be executed when normal users login and access policies. See RANGER-1124.

    Fix detail: Added logic to sanitize the user input.

    Recommended Action: Users should upgrade to HDP 2.5+ (with Apache Ranger 0.6.1+)