Apache Ranger admin users can store some arbitrary javascript code to be executed when normal users login and access policies · CVE-2016-8751 · GitHub Advisory Database · GitHub

Apache Ranger admin users can store some arbitrary javascript code to be executed when normal users login and access policies

Moderate severity GitHub Reviewed Published Oct 17, 2018 to the GitHub Advisory Database • Updated Jan 9, 2023

Package

org.apache.ranger:ranger (Maven)

Affected versions

< 0.6.3

Patched versions

0.6.3

Description

Apache Ranger before 0.6.is vulnerable to a Stored Cross-Site Scripting in when entering custom policy conditions. Admin users can store some arbitrary javascript code to be executed when normal users login and access policies.

References

Published to the GitHub Advisory Database Oct 17, 2018

Reviewed Jun 16, 2020

Last updated Jan 9, 2023

Severity

Moderate

4.8

/ 10

CVSS base metrics

Attack vector

Network

Attack complexity

Low

Privileges required

High

User interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N