A vulnerability, which was classified as critical, was found in Apache Ranger up to 0.5.2. Affected is an unknown part of the file service/plugins/policies/eventTime of the component Policy Admin Tool. The manipulation of the argument eventTime with an unknown input leads to a sql injection vulnerability. CWE is classifying the issue as CWE-89. The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. This is going to have an impact on confidentiality, integrity, and availability. CVE summarizes:

SQL injection vulnerability in the policy admin tool in Apache Ranger before 0.5.3 allows remote authenticated administrators to execute arbitrary SQL commands via the eventTime parameter to service/plugins/policies/eventTime.

The weakness was presented 06/13/2016 (Website). The advisory is shared for download at cwiki.apache.org. This vulnerability is traded as CVE-2016-2174 since 01/29/2016. The exploitability is told to be easy. It is possible to launch the attack remotely. A authentication is necessary for exploitation. There are known technical details, but no exploit is available. The MITRE ATT&CK project declares the attack technique as T1505.

Upgrading to version 0.5.3 eliminates this vulnerability.

See 82052, 82053, 82212 and 82250 for similar entries.

Productinfo

Vendor

• Apache

Name

• Ranger

Version

• 0.5.0
• 0.5.1
• 0.5.2

License

• open-source

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion