Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 22 Aug 2016 10:42:09 -0400
From: Velmurugan Periasamy <>
To: "" <>,
	"" <>,
	"" <>,
CC: "" <>,
	"" <>,
	"" <>,
	Velmurugan Periasamy <>
Subject: CVE update (CVE-2016-5395) - Fixed in Apache Ranger 0.6.1


HereĀ¹s a CVE update for Ranger 0.6.1 release. Please see below details.

Release details can be found at

Thank you,
Velmurugan Periasamy

CVE-2016-5395: Apache Ranger Stored Cross Site Scripting vulnerability
Severity: Normal 
Vendor: The Apache Software Foundation
Versions Affected: All 0.5.x versions of Apache Ranger and version 0.6.0
Users Affected: All users of ranger policy admin tool
Description: Apache Ranger was found to be vulnerable to a
Stored Cross-Site Scripting in the create user functionality. Admin users
store some arbitrary javascript code to be executed when normal users login
access policies. 
Fix details: Added logic to sanitize the user input
Mitigation: Users should upgrade to 0.6.1 or later version of Apache Ranger
with the fix.
Credit: Thanks to Victor Hora from Securus Global for reporting this issue.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.