Apache Ranger eventTime parameter SQL injection Vulnerability (CVE-2016-2174)

Description ----------- Apache Ranger =:6080/service/plugins/policies/eventTime ?eventTime=' or '1'='1 &policyId=1 The vulnerable code is located in the org/apache/ranger/db/XXDataHistDao.java file in the findObjByEventTimeClassTypeAndId function: public XXDataHist...

SOL43254923 - Apache Ranger vulnerability CVE-2016-2174

Vulnerability Recommended Actions None Supplemental Information SOL9970: Subscribing to email notifications regarding F5 products SOL9957: Creating a custom RSS feed to view new and updated documents SOL4602: Overview of the F5 security vulnerability response policy SOL4918: Overview of the F5...

CVE-2016-2174

SQL injection vulnerability in the policy admin tool in Apache Ranger before 0.5.3 allows remote authenticated administrators to execute arbitrary SQL commands via the eventTime parameter to service/plugins/policies/eventTime...

CVE-2016-2174

SQL injection vulnerability in the policy admin tool in Apache Ranger before 0.5.3 allows remote authenticated administrators to execute arbitrary SQL commands via the eventTime parameter to service/plugins/policies/eventTime...

CVE-2016-2174

CVE-2016-2174 describes a SQL injection in the policy admin tool of Apache Ranger prior to 0.5.3. The vulnerability arises from an eventTime parameter being used in a dynamic SQL query (e.g., in service/plugins/policies/eventTime) without proper parameterization, allowing remote authenticated adm...