Common Vulnerabilities and Exposures

CVE-2016-8746

Summary: Apache Ranger path matching issue in policy evaluation

Severity: Normal

Vendor: Hortonworks

Versions Affected: All HDP 2.5 versions including Apache Ranger versions 0.6.0/0.6.1/0.6.2

Users affected: All users of the ranger policy admin tool.

Impact: Ranger policy engine incorrectly matches paths in certain conditions when a policy contains wildcards and recursive flags.

Fix detail: Fixed policy evaluation logic

Recommended Action: Users should upgrade to HDP 2.5.4+ (with Apache Ranger 0.6.3+).

CVE-2016-8751

Summary: Apache Ranger stored cross site scripting issue

Severity: Normal

Vendor: Hortonworks

Versions Affected: All HDP 2.3/2.4/2.5 versions including Apache Ranger versions 0.5.x/0.6.0/0.6.1/0.6.2

Users affected: All users of the ranger policy admin tool.

Impact: Apache Ranger is vulnerable to a Stored Cross-Site Scripting when entering custom policy conditions. Admin users can store some arbitrary javascript code execute when normal users login and access policies.

Fix detail: Added logic to sanitize the user input.

Recommended Action: Users should upgrade to HDP 2.5.4+ (with Apache Ranger 0.6.3+).

​Common Vulnerabilities and Exposures

​CVE-2016-8746

​CVE-2016-8751

CVE-2016-8746

CVE-2016-8751