<!--X-Body-Begin-->
<!--X-User-Header-->
oss-sec
mailing list archives
<!--X-User-Header-End-->
<!--X-TopPNI-->
By Date
By Thread
</form>
<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
CVE update - fixed in Apache Ranger 2.0.0
<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->
From: Velmurugan Periasamy <vel () apache org>
Date: Thu, 8 Aug 2019 12:15:54 -0400
<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->
<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
Hello:
Please find below details on CVE fixed in Ranger 2.0.0 release. Release details can be found at
https://cwiki.apache.org/confluence/display/RANGER/2.0.0+Release+-+Apache+Ranger
———————————————————————————————————————————————————
CVE-2019-12397: Apache Ranger cross site scripting issue
Severity: Normal
Vendor: The Apache Software Foundation
Versions Affected: 0.7.0 to 1.2.0 versions of Apache Ranger, prior to 2.0.0
Users affected: All users of ranger policy admin tool
Description: Apache Ranger was found to be vulnerable to a Cross-Site Scripting in policy import functionality.
Fix detail: Added logic to sanitize the user input.
Mitigation: Users should upgrade to 2.0.0 or later version of Apache Ranger with the fix.
Credit: Jan Kaszycki from STM Solutions
———————————————————————————————————————————————————
Thank you,
Velmurugan Periasamy
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->
By Date
By Thread
Current thread:
CVE update - fixed in Apache Ranger 2.0.0 Velmurugan Periasamy (Aug 08)
<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->