Skip to main content

Ranger CVE-2016-8751

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2017-06-14 security@apache.org
4.8
CVSS 3.0 · NVD
Share

Severity by source

NVD PRIMARY
4.8 MEDIUM
AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
CVE Published
Jun 14, 2017 - 17:29 cve.org
MEDIUM 4.8

DescriptionCVE.org

Apache Ranger before 0.6.3 is vulnerable to a Stored Cross-Site Scripting in when entering custom policy conditions. Admin users can store some arbitrary javascript code to be executed when normal users login and access policies.

AnalysisAI

Apache Ranger before 0.6.3 is vulnerable to a Stored Cross-Site Scripting in when entering custom policy conditions. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

Technical ContextAI

This vulnerability is classified as Cross-Site Scripting (XSS) (CWE-79), which allows attackers to inject malicious scripts into web pages viewed by other users. Apache Ranger before 0.6.3 is vulnerable to a Stored Cross-Site Scripting in when entering custom policy conditions. Admin users can store some arbitrary javascript code to be executed when normal users login and access policies. Affected products include: Apache Ranger. Version information: before 0.6.3.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Sanitize all user input, use Content-Security-Policy headers, encode output contextually (HTML, JS, URL). Use frameworks with built-in XSS protection.

More in Ranger

View all
CVE-2015-0266 HIGH POC
7.1 Apr 11

The Policy Admin Tool in Apache Ranger before 0.5.0 allows remote authenticated users to bypass intended access restrict

CVE-2015-0265 MEDIUM POC
6.1 Apr 11

Cross-site scripting (XSS) vulnerability in the Policy Admin Tool in Apache Ranger before 0.5.0 allows remote attackers

CVE-2016-0733 CRITICAL
9.8 Apr 12

The Admin UI in Apache Ranger before 0.5.1 does not properly handle authentication requests that lack a password, which

CVE-2017-7676 CRITICAL
9.8 Jun 14

Policy resource matcher in Apache Ranger before 0.7.1 ignores characters after '*' wildcard character - like my*test, te

CVE-2024-55532 CRITICAL
9.8 Mar 03

Improper Neutralization of Formula Elements in Export CSV feature of Apache Ranger in Apache Ranger Version < 2.6.0. Rat

CVE-2025-59059 CRITICAL
9.8 Mar 03

RCE in Apache Ranger <= 2.7.0 via NashornScriptEngineCreator. EPSS 0.42%.

CVE-2016-0735 HIGH
8.8 Apr 11

Apache Ranger 0.5.x before 0.5.2 allows remote authenticated users to bypass intended parent resource-level access restr

CVE-2018-11778 HIGH
8.8 Oct 05

UnixAuthenticationService in Apache Ranger 1.2.0 was updated to correctly handle user input to avoid Stack-based buffer

CVE-2016-2174 HIGH
7.2 Jun 13

SQL injection vulnerability in the policy admin tool in Apache Ranger before 0.5.3 allows remote authenticated administr

CVE-2016-6815 MEDIUM
6.5 Oct 13

In Apache Ranger before 0.6.2, users with "keyadmin" role should not be allowed to change password for users with "admin

CVE-2015-5167 MEDIUM
6.5 Apr 12

The Policy Admin Tool in Apache Ranger before 0.5.1 allows remote authenticated users to bypass intended access restrict

CVE-2019-12397 MEDIUM
6.1 Aug 08

Policy import functionality in Apache Ranger 0.7.0 to 1.2.0 is vulnerable to a cross-site scripting issue. Rated medium

Share

CVE-2016-8751 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy