SQL Injection Vulnerability in Apache Ranger Policy Admin Tool
CVE-2016-2174

7.2HIGH

Key Information:

Vendor: Apache
Status: Ranger
Vendor: CVE Published:; 13 June 2016

What is CVE-2016-2174?

An SQL injection vulnerability exists in the policy admin tool of Apache Ranger versions prior to 0.5.3. This flaw allows remote authenticated administrators to manipulate SQL commands via the 'eventTime' parameter in service/plugins/policies. Exploiting this vulnerability may lead to unauthorized access to sensitive data or the execution of arbitrary SQL commands within the database.

References

http://www.openwall.com/lists/oss-security/2016/06/01/3

mailing-listx_refsource_MLIST

https://cwiki.apache.org/confluence/display/RANGER/Vulner...

x_refsource_CONFIRM

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 13, 2016
Vulnerability Reserved
Jan 29, 2016