Apache Ranger
21 CVEs affecting Apache Ranger. Latest disclosed: 2026-03-03. Critical: 5, High: 6.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2025-59059 | Critical | 9.8 | 2026-03-03 | Remote Code Execution Vulnerability in NashornScriptEngineCreator is reported in Apache Ranger versions <= 2.7.0. Users are recommended to upgrade to version 2… |
CVE-2024-55532 | Critical | 9.8 | 2025-03-03 | Improper Neutralization of Formula Elements in Export CSV feature of Apache Ranger in Apache Ranger Version < 2.6.0. Users are recommended to upgrade to versio… |
CVE-2017-7676 | Critical | 9.8 | 2017-06-14 | Policy resource matcher in Apache Ranger before 0.7.1 ignores characters after '*' wildcard character - like my*test, test*.txt. This can result in unintended… |
CVE-2016-0733 | Critical | 9.8 | 2016-04-12 | The Admin UI in Apache Ranger before 0.5.1 does not properly handle authentication requests that lack a password, which allows remote attackers to bypass authe… |
CVE-2024-45479 | Critical | 9.1 | 2025-01-21 | SSRF vulnerability in Edit Service Page of Apache Ranger UI in Apache Ranger Version 2.4.0. Users are recommended to upgrade to version Apache Ranger 2.5.0, wh… |
CVE-2018-11778 | High | 8.8 | 2018-10-05 | UnixAuthenticationService in Apache Ranger 1.2.0 was updated to correctly handle user input to avoid Stack-based buffer overflow. Versions prior to 1.2.0 shoul… |
CVE-2016-0735 | High | 8.8 | 2016-04-11 | Apache Ranger 0.5.x before 0.5.2 allows remote authenticated users to bypass intended parent resource-level access restrictions by leveraging mishandling of a… |
CVE-2022-45048 | High | 8.4 | 2023-05-05 | Authenticated users with appropriate privileges can create policies having expressions that can exploit code execution vulnerability. This issue affects Apache… |
CVE-2021-40331 | High | 8.1 | 2023-05-05 | An Incorrect Permission Assignment for Critical Resource vulnerability was found in the Apache Ranger Hive Plugin. Any user with SELECT privilege on a database… |
CVE-2016-2174 | High | 7.2 | 2016-06-13 | SQL injection vulnerability in the policy admin tool in Apache Ranger before 0.5.3 allows remote authenticated administrators to execute arbitrary SQL commands… |
CVE-2015-0266 | High | 7.1 | 2016-04-11 | The Policy Admin Tool in Apache Ranger before 0.5.0 allows remote authenticated users to bypass intended access restrictions via direct access to module URLs. |
CVE-2016-6815 | Medium | 6.5 | 2017-10-13 | In Apache Ranger before 0.6.2, users with "keyadmin" role should not be allowed to change password for users with "admin" role. |
CVE-2015-5167 | Medium | 6.5 | 2016-04-12 | The Policy Admin Tool in Apache Ranger before 0.5.1 allows remote authenticated users to bypass intended access restrictions via the REST API. |
CVE-2019-12397 | Medium | 6.1 | 2019-08-08 | Policy import functionality in Apache Ranger 0.7.0 to 1.2.0 is vulnerable to a cross-site scripting issue. Upgrade to 2.0.0 or later version of Apache Ranger w… |
CVE-2015-0265 | Medium | 6.1 | 2016-04-11 | Cross-site scripting (XSS) vulnerability in the Policy Admin Tool in Apache Ranger before 0.5.0 allows remote attackers to inject arbitrary web script or HTML… |
CVE-2017-7677 | Medium | 5.9 | 2017-06-14 | In environments that use external location for hive tables, Hive Authorizer in Apache Ranger before 0.7.1 should be checking RWX permission for create table. |
CVE-2016-8746 | Medium | 5.9 | 2017-06-14 | Apache Ranger before 0.6.3 policy engine incorrectly matches paths in certain conditions when policy does not contain wildcards and has recursion flag set to t… |
CVE-2025-59060 | Medium | 5.3 | 2026-03-03 | Hostname verification bypass issue in Apache Ranger NiFiRegistryClient/NiFiClient is reported in Apache Ranger versions <= 2.7.0. Users are recommended to upg… |
CVE-2024-45478 | Medium | 4.8 | 2025-01-21 | Stored XSS vulnerability in Edit Service Page of Apache Ranger UI in Apache Ranger Version 2.4.0. Users are recommended to upgrade to version Apache Ranger 2.5… |
CVE-2016-8751 | Medium | 4.8 | 2017-06-14 | Apache Ranger before 0.6.3 is vulnerable to a Stored Cross-Site Scripting in when entering custom policy conditions. Admin users can store some arbitrary javas… |