Ranger
CVE-2025-59060
MEDIUM
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
3Blast Radius
ecosystem impact- 1 maven packages depend on org.apache.ranger:ranger-nifi-registry-plugin (1 direct, 0 indirect)
Ecosystem-wide dependent count for version 2.8.0.
DescriptionCVE.org
Hostname verification bypass issue in Apache Ranger NiFiRegistryClient/NiFiClient is reported in Apache Ranger versions <= 2.7.0.
Users are recommended to upgrade to version 2.8.0, which fixes this issue.
AnalysisAI
Hostname verification bypass issue in Apache Ranger NiFiRegistryClient/NiFiClient is reported in Apache Ranger versions <= 2.7.0. Users are recommended to upgrade to version 2.8.0, which fixes this issue. [CVSS 5.3 MEDIUM]
Technical ContextAI
Affects Ranger. Hostname verification bypass issue in Apache Ranger NiFiRegistryClient/NiFiClient is reported in Apache Ranger versions <= 2.7.0.
Users are recommended to upgrade to version 2.8.0, which fixes this issue.
RemediationAI
Update to version 2.8.0 or later. Restrict network access to the affected service where possible.
The Policy Admin Tool in Apache Ranger before 0.5.0 allows remote authenticated users to bypass intended access restrict
Cross-site scripting (XSS) vulnerability in the Policy Admin Tool in Apache Ranger before 0.5.0 allows remote attackers
The Admin UI in Apache Ranger before 0.5.1 does not properly handle authentication requests that lack a password, which
Policy resource matcher in Apache Ranger before 0.7.1 ignores characters after '*' wildcard character - like my*test, te
Improper Neutralization of Formula Elements in Export CSV feature of Apache Ranger in Apache Ranger Version < 2.6.0. Rat
RCE in Apache Ranger <= 2.7.0 via NashornScriptEngineCreator. EPSS 0.42%.
Apache Ranger 0.5.x before 0.5.2 allows remote authenticated users to bypass intended parent resource-level access restr
UnixAuthenticationService in Apache Ranger 1.2.0 was updated to correctly handle user input to avoid Stack-based buffer
SQL injection vulnerability in the policy admin tool in Apache Ranger before 0.5.3 allows remote authenticated administr
In Apache Ranger before 0.6.2, users with "keyadmin" role should not be allowed to change password for users with "admin
The Policy Admin Tool in Apache Ranger before 0.5.1 allows remote authenticated users to bypass intended access restrict
Policy import functionality in Apache Ranger 0.7.0 to 1.2.0 is vulnerable to a cross-site scripting issue. Rated medium
Share
External POC / Exploit Code
Leaving vuln.today
GHSA-5fvg-qwcp-r325