[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] CVE update (CVE-2016-5395) - Fixed in Apache Ranger 0.6.1
From: Velmurugan Periasamy <vel () apache ! org>
Date: 2016-08-22 14:42:09
Message-ID: D3E08781.193C42%vel () apache ! org
[Download RAW message or body]
Hello:
Herešs a CVE update for Ranger 0.6.1 release. Please see below details.
Release details can be found at
https://cwiki.apache.org/confluence/display/RANGER/0.6.1+Release+-+Apache+Ra
nger
Thank you,
Velmurugan Periasamy
----------------------------------------------------------------------------
-------------------
CVE-2016-5395: Apache Ranger Stored Cross Site Scripting vulnerability
----------------------------------------------------------------------------
-------------------
Severity: Normal
Vendor: The Apache Software Foundation
Versions Affected: All 0.5.x versions of Apache Ranger and version 0.6.0
Users Affected: All users of ranger policy admin tool
Description: Apache Ranger was found to be vulnerable to a
Stored Cross-Site Scripting in the create user functionality. Admin users
can
store some arbitrary javascript code to be executed when normal users login
and
access policies.
Fix details: Added logic to sanitize the user input
Mitigation: Users should upgrade to 0.6.1 or later version of Apache Ranger
with the fix.
Credit: Thanks to Victor Hora from Securus Global for reporting this issue.
----------------------------------------------------------------------------
-------------------
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic