Ranger Security Vulnerabilities and Issues — Ranger CVE List

ApacheRanger

21 matches found

CVE•added 2026/03/03 10:44 a.m.•356 views

CVE-2025-59059

Apache Ranger CVE-2025-59059 is a remote code execution issue affecting Ranger versions

9.8CVSS6AI score0.01244EPSS

CVE•added 2025/03/03 4:4 p.m.•137 views

CVE-2024-55532

CVE-2024-55532 affects Apache Ranger prior to 2.6.0, in the Export CSV feature. The root cause is Improper Neutralization of Formula Elements, which can enable CSV injection when exporting data. Multiple connected sources (Red Hat, SNYK, OSV, GHSA, and CVE listings) corroborate that the remediati...

9.8CVSS6.5AI score0.00723EPSS

CVE•added 2019/08/08 5:6 p.m.•79 views

CVE-2019-12397

Summary: CVE-2019-12397 affects Apache Ranger policy import functionality. Multiple connected records confirm that versions 0.7.0 through 1.2.0 are vulnerable to cross-site scripting due to inadequate input handling in the policy import feature. The fixed remediation is to upgrade to Apache Range...

6.1CVSS5.9AI score0.02965EPSS

CVE•added 2017/06/14 5:0 p.m.•76 views

CVE-2016-8746

CVE-2016-8746 affects Apache Ranger policy engine prior to version 0.6.3. The issue is a path-matching defect that occurs under recursive evaluation when policies do not contain wildcards, enablingmis-matches and potential security bypass. The vulnerability is scoped to the policy engine logic (n...

5.9CVSS5.6AI score0.02733EPSS

CVE•added 2017/06/14 5:0 p.m.•76 views

CVE-2017-7676

Apache Ranger policy resource matching (before 0.7.1) ignores characters after the asterisk wildcard, e.g., mytest, test .txt, which can lead to unintended behavior and policy evaluation bypass risks. Affected versions: Ranger before 0.7.1. The issue is addressed in Ranger 0.7.1 (fixes to wildcar...

9.8CVSS9.3AI score0.04198EPSS

CVE•added 2017/10/13 2:0 p.m.•72 views

CVE-2016-6815

The CVE-2016-6815 issue affects Apache Ranger prior to 0.6.2, where users with the keyadmin role can change the password for users with the admin role, enabling local privilege escalation.

6.5CVSS6.5AI score0.02071EPSS

CVE•added 2023/05/05 7:50 a.m.•72 views

CVE-2022-45048

Affected product: Apache Ranger (v2.3.0). Issue: code execution vulnerability via injectable policy expressions in created policies. Root cause (as stated): authenticated users with appropriate privileges can craft expressions that trigger execution. Impact: CVSS high, enabling total compromise p...

8.8CVSS8.9AI score0.01126EPSS

CVE•added 2025/01/21 9:26 p.m.•72 views

CVE-2024-45479

Apache Ranger UI (v2.4.0) contains an SSRF vulnerability in the Edit Service Page. The root cause is improper input validation that allows crafted requests to trigger unintended internal or external network calls. This vulnerability is classified with high impact (CVSS v3.1: AV:N/AC:L/PR:N/UI:N/S...

9.1CVSS6.5AI score0.00574EPSS

CVE•added 2017/06/14 5:0 p.m.•70 views

CVE-2016-8751

CVE-2016-8751 affects Apache Ranger prior to 0.6.3. The vulnerability is a Stored Cross-Site Scripting in custom policy conditions, enabling admin users to store JavaScript executed when normal users log in and access policies. Exploitation details, affected versions beyond 0.6.3, and remediation...

4.8CVSS5AI score0.02133EPSS

CVE•added 2016/06/13 2:0 p.m.•69 views

CVE-2016-2174

CVE-2016-2174 describes a SQL injection in the policy admin tool of Apache Ranger prior to 0.5.3. The vulnerability arises from an eventTime parameter being used in a dynamic SQL query (e.g., in service/plugins/policies/eventTime) without proper parameterization, allowing remote authenticated adm...

7.2CVSS7.2AI score0.01884EPSS

Web

CVE•added 2016/09/26 2:0 p.m.•69 views

CVE-2016-5395

CVE-2016-5395 is a cross-site scripting (XSS) vulnerability in Apache Ranger’s policy admin create-user function, exploitable by remote authenticated administrators to inject script or HTML via policy-related vectors. Affected product: Apache Ranger (prior to 0.6.1). Root cause: insufficient inpu...

4.8CVSS4.6AI score0.02105EPSS

CVE•added 2017/06/14 5:0 p.m.•69 views

CVE-2017-7677

CVE-2017-7677 affects the Hive Authorizer in Apache Ranger prior to 0.7.1. In environments using external locations for Hive tables, it should check RWX permissions for create table, but this check is missing, enabling a potential permission-check bypass when creating tables. The issue is address...

5.9CVSS5.6AI score0.02614EPSS

CVE•added 2018/10/05 7:0 p.m.•69 views

CVE-2018-11778

CVE-2018-11778 affects UnixAuthenticationService in Apache Ranger. Multiple connected sources confirm that UnixAuthenticationService handles user input and previously vulnerable versions could be susceptible to a stack-based buffer overflow, potentially allowing crash or arbitrary code execution....

8.8CVSS8.7AI score0.04011EPSS

CVE•added 2025/01/21 9:25 p.m.•60 views

CVE-2024-45478

CVE-2024-45478 describes a stored cross-site scripting (XSS) vulnerability in the Edit Service Page of Apache Ranger UI, specifically affecting Apache Ranger UI version 2.4.0. The underlying issue is lack of proper input filtering/escaping on user-supplied data. The recommended remediation is to ...

4.8CVSS5.7AI score0.00501EPSS

CVE•added 2016/04/12 2:0 p.m.•57 views

CVE-2016-0733

The CVE covers Apache Ranger’s Admin UI prior to 0.5.1, where authentication requests lacking a password are mishandled. The root cause is improper handling of credentials in the Admin UI authentication logic, allowing remote attackers to bypass login by leveraging a known valid username. Reporte...

9.8CVSS9.5AI score0.03063EPSS

CVE•added 2016/04/11 7:0 p.m.•56 views

CVE-2015-0265

Summary: CVE-2015-0265 describes a cross-site scripting (XSS) vulnerability in the Policy Admin Tool of Apache Ranger prior to version 0.5.0 . The issue allows remote attackers to inject arbitrary web script or HTML via the HTTP User-Agent header. Affected component: Apache Ranger Policy Admin To...

6.1CVSS6AI score0.04853EPSS

CVE•added 2016/04/12 2:0 p.m.•47 views

CVE-2015-5167

The CVE-2015-5167 entry concerns Apache Ranger’s Policy Admin Tool. The vulnerability allows remote authenticated users to bypass intended access restrictions via the REST API in Ranger versions prior to 0.5.1. Affected component: Policy Admin Tool; root cause described as an access-control bypas...

6.5CVSS6.1AI score0.01933EPSS

CVE•added 2016/04/11 7:0 p.m.•46 views

CVE-2016-0735

Apache Ranger 0.5.x before 0.5.2 is affected by a vulnerability where remote authenticated users can bypass parent resource-level access restrictions by mishandling a resource-level exclude policy. Affected versions include 0.5.0 and 0.5.1; the issue enables unintended access control bypass at th...

8.8CVSS8.3AI score0.01669EPSS

CVE•added 2023/05/05 7:55 a.m.•43 views

CVE-2021-40331

The CVE-2021-40331 entry describes an Incorrect Permission Assignment for Critical Resource in Apache Ranger Hive Plugin. Affected versions are 2.0.0 through 2.3.0; any user with SELECT privilege on a database can alter Hive table ownership when the plugin is enabled. Root cause is improper privi...

8.1CVSS8.1AI score0.00918EPSS

CVE•added 2016/04/11 7:0 p.m.•42 views

CVE-2015-0266

The CVE concerns Apache Ranger’s Policy Admin Tool pre-0.5.0. Affected component: Policy Admin Tool in Ranger. Root cause: improper access control allowing remote authenticated users to bypass intended restrictions via direct access to module URLs. Impact: confidentiality/integrity/availability e...

7.1CVSS6.5AI score0.02103EPSS

CVE•added 2026/03/03 10:46 a.m.•11 views

CVE-2025-59060

Summary: CVE-2025-59060 describes a hostname verification bypass in Apache Ranger’s NiFiRegistryClient/NiFiClient. The issue is reported for Apache Ranger versions ≤ 2.7.0 and is fixed by upgrading to version 2.8.0. Affected components: NiFiRegistryClient and NiFiClient within Apache Ranger. Root...

5.3CVSS5.9AI score0.00329EPSS