CVE-2015-0266
high
CVSS v3
7.1
CVSS v2
6.5
VIR risk
7.1
Description
Apache Ranger allows users to bypass intended access restrictions via direct access to module URLs
Predictions
Exploit likelihood
80%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: secalert@redhat.com — https://cwiki.apache.org/confluence/display/RANGER/Vulnerabilities+found+in+Ranger
Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| Maven | org.apache.ranger:ranger | <0.5.0 | 0.5.0 |
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| apache | ranger | {"endIncluding":"0.4.0."} | |
References
- http://www.securityfocus.com/bid/76221
- http://www.slideshare.net/wojdwo/big-problems-with-big-data-hadoop-interfaces-security
- https://cwiki.apache.org/confluence/display/RANGER/Vulnerabilities+found+in+Ranger
- https://mail-archives.apache.org/mod_mbox/ranger-dev/201508.mbox/%3CD1E7EC30.9D53F%25vel%40apache.org%3E
- https://nvd.nist.gov/vuln/detail/CVE-2015-0266
- https://github.com/apache/ranger
- https://mail-archives.apache.org/mod_mbox/ranger-dev/201508.mbox/%3CD1E7EC30.9D53F%25vel@apache.org%3E
- https://web.archive.org/web/20200228073944/http://www.securityfocus.com/bid/76221
CWEs
CWE-264
Verify integrity in audit chain (admin only). AS-IS.