Apache Ranger

21 CVEs affecting Apache Ranger. Latest disclosed: 2026-03-03. Critical: 5, High: 6.

Top CVEs affecting Apache Ranger
CVESeverityScorePublishedSummary
CVE-2025-59059Critical9.82026-03-03Remote Code Execution Vulnerability in NashornScriptEngineCreator is reported in Apache Ranger versions <= 2.7.0. Users are recommended to upgrade to version 2…
CVE-2024-55532Critical9.82025-03-03Improper Neutralization of Formula Elements in Export CSV feature of Apache Ranger in Apache Ranger Version < 2.6.0. Users are recommended to upgrade to versio…
CVE-2017-7676Critical9.82017-06-14Policy resource matcher in Apache Ranger before 0.7.1 ignores characters after '*' wildcard character - like my*test, test*.txt. This can result in unintended…
CVE-2016-0733Critical9.82016-04-12The Admin UI in Apache Ranger before 0.5.1 does not properly handle authentication requests that lack a password, which allows remote attackers to bypass authe…
CVE-2024-45479Critical9.12025-01-21SSRF vulnerability in Edit Service Page of Apache Ranger UI in Apache Ranger Version 2.4.0. Users are recommended to upgrade to version Apache Ranger 2.5.0, wh…
CVE-2018-11778High8.82018-10-05UnixAuthenticationService in Apache Ranger 1.2.0 was updated to correctly handle user input to avoid Stack-based buffer overflow. Versions prior to 1.2.0 shoul…
CVE-2016-0735High8.82016-04-11Apache Ranger 0.5.x before 0.5.2 allows remote authenticated users to bypass intended parent resource-level access restrictions by leveraging mishandling of a…
CVE-2022-45048High8.42023-05-05Authenticated users with appropriate privileges can create policies having expressions that can exploit code execution vulnerability. This issue affects Apache…
CVE-2021-40331High8.12023-05-05An Incorrect Permission Assignment for Critical Resource vulnerability was found in the Apache Ranger Hive Plugin. Any user with SELECT privilege on a database…
CVE-2016-2174High7.22016-06-13SQL injection vulnerability in the policy admin tool in Apache Ranger before 0.5.3 allows remote authenticated administrators to execute arbitrary SQL commands…
CVE-2015-0266High7.12016-04-11The Policy Admin Tool in Apache Ranger before 0.5.0 allows remote authenticated users to bypass intended access restrictions via direct access to module URLs.
CVE-2016-6815Medium6.52017-10-13In Apache Ranger before 0.6.2, users with "keyadmin" role should not be allowed to change password for users with "admin" role.
CVE-2015-5167Medium6.52016-04-12The Policy Admin Tool in Apache Ranger before 0.5.1 allows remote authenticated users to bypass intended access restrictions via the REST API.
CVE-2019-12397Medium6.12019-08-08Policy import functionality in Apache Ranger 0.7.0 to 1.2.0 is vulnerable to a cross-site scripting issue. Upgrade to 2.0.0 or later version of Apache Ranger w…
CVE-2015-0265Medium6.12016-04-11Cross-site scripting (XSS) vulnerability in the Policy Admin Tool in Apache Ranger before 0.5.0 allows remote attackers to inject arbitrary web script or HTML…
CVE-2017-7677Medium5.92017-06-14In environments that use external location for hive tables, Hive Authorizer in Apache Ranger before 0.7.1 should be checking RWX permission for create table.
CVE-2016-8746Medium5.92017-06-14Apache Ranger before 0.6.3 policy engine incorrectly matches paths in certain conditions when policy does not contain wildcards and has recursion flag set to t…
CVE-2025-59060Medium5.32026-03-03Hostname verification bypass issue in Apache Ranger NiFiRegistryClient/NiFiClient is reported in Apache Ranger versions <= 2.7.0. Users are recommended to upg…
CVE-2024-45478Medium4.82025-01-21Stored XSS vulnerability in Edit Service Page of Apache Ranger UI in Apache Ranger Version 2.4.0. Users are recommended to upgrade to version Apache Ranger 2.5…
CVE-2016-8751Medium4.82017-06-14Apache Ranger before 0.6.3 is vulnerable to a Stored Cross-Site Scripting in when entering custom policy conditions. Admin users can store some arbitrary javas…