[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] CVE update (CVE-2016-5395) - Fixed in Apache Ranger 0.6.1
From:       Velmurugan Periasamy <vel () apache ! org>
Date:       2016-08-22 14:42:09
Message-ID: D3E08781.193C42%vel () apache ! org
[Download RAW message or body]


Hello:

Herešs a CVE update for Ranger 0.6.1 release. Please see below details.

Release details can be found at
https://cwiki.apache.org/confluence/display/RANGER/0.6.1+Release+-+Apache+Ra
nger

Thank you,
Velmurugan Periasamy

----------------------------------------------------------------------------
-------------------
CVE-2016-5395: Apache Ranger Stored Cross Site Scripting vulnerability
----------------------------------------------------------------------------
-------------------
Severity: Normal 
Vendor: The Apache Software Foundation
Versions Affected: All 0.5.x versions of Apache Ranger and version 0.6.0
Users Affected: All users of ranger policy admin tool
Description: Apache Ranger was found to be vulnerable to a
Stored Cross-Site Scripting in the create user functionality. Admin users
can
store some arbitrary javascript code to be executed when normal users login
and
access policies. 
Fix details: Added logic to sanitize the user input
Mitigation: Users should upgrade to 0.6.1 or later version of Apache Ranger
with the fix.
Credit: Thanks to Victor Hora from Securus Global for reporting this issue.
----------------------------------------------------------------------------
-------------------




[prev in list] [next in list] [prev in thread] [next in thread]