Skip to main content

Ranger CVE-2025-59060

MEDIUM
Improper Validation of Certificate with Host Mismatch (CWE-297)
2026-03-03 security@apache.org GHSA-5fvg-qwcp-r325
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

3
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
Analysis Generated
Mar 12, 2026 - 22:05 vuln.today
CVE Published
Mar 03, 2026 - 11:16 nvd
MEDIUM 5.3

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 1 maven packages depend on org.apache.ranger:ranger-nifi-registry-plugin (1 direct, 0 indirect)

Ecosystem-wide dependent count for version 2.8.0.

DescriptionCVE.org

Hostname verification bypass issue in Apache Ranger NiFiRegistryClient/NiFiClient is reported in Apache Ranger versions <= 2.7.0.

Users are recommended to upgrade to version 2.8.0, which fixes this issue.

AnalysisAI

Hostname verification bypass issue in Apache Ranger NiFiRegistryClient/NiFiClient is reported in Apache Ranger versions <= 2.7.0. Users are recommended to upgrade to version 2.8.0, which fixes this issue. [CVSS 5.3 MEDIUM]

Technical ContextAI

Affects Ranger. Hostname verification bypass issue in Apache Ranger NiFiRegistryClient/NiFiClient is reported in Apache Ranger versions <= 2.7.0.

Users are recommended to upgrade to version 2.8.0, which fixes this issue.

RemediationAI

Update to version 2.8.0 or later. Restrict network access to the affected service where possible.

More in Ranger

View all
CVE-2015-0266 HIGH POC
7.1 Apr 11

The Policy Admin Tool in Apache Ranger before 0.5.0 allows remote authenticated users to bypass intended access restrict

CVE-2015-0265 MEDIUM POC
6.1 Apr 11

Cross-site scripting (XSS) vulnerability in the Policy Admin Tool in Apache Ranger before 0.5.0 allows remote attackers

CVE-2016-0733 CRITICAL
9.8 Apr 12

The Admin UI in Apache Ranger before 0.5.1 does not properly handle authentication requests that lack a password, which

CVE-2017-7676 CRITICAL
9.8 Jun 14

Policy resource matcher in Apache Ranger before 0.7.1 ignores characters after '*' wildcard character - like my*test, te

CVE-2024-55532 CRITICAL
9.8 Mar 03

Improper Neutralization of Formula Elements in Export CSV feature of Apache Ranger in Apache Ranger Version < 2.6.0. Rat

CVE-2025-59059 CRITICAL
9.8 Mar 03

RCE in Apache Ranger <= 2.7.0 via NashornScriptEngineCreator. EPSS 0.42%.

CVE-2016-0735 HIGH
8.8 Apr 11

Apache Ranger 0.5.x before 0.5.2 allows remote authenticated users to bypass intended parent resource-level access restr

CVE-2018-11778 HIGH
8.8 Oct 05

UnixAuthenticationService in Apache Ranger 1.2.0 was updated to correctly handle user input to avoid Stack-based buffer

CVE-2016-2174 HIGH
7.2 Jun 13

SQL injection vulnerability in the policy admin tool in Apache Ranger before 0.5.3 allows remote authenticated administr

CVE-2016-6815 MEDIUM
6.5 Oct 13

In Apache Ranger before 0.6.2, users with "keyadmin" role should not be allowed to change password for users with "admin

CVE-2015-5167 MEDIUM
6.5 Apr 12

The Policy Admin Tool in Apache Ranger before 0.5.1 allows remote authenticated users to bypass intended access restrict

CVE-2019-12397 MEDIUM
6.1 Aug 08

Policy import functionality in Apache Ranger 0.7.0 to 1.2.0 is vulnerable to a cross-site scripting issue. Rated medium

Share

CVE-2025-59060 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy