Wildcard Character Mismanagement in Apache Ranger by Apache
CVE-2017-7676

9.8CRITICAL

Key Information:

Vendor: Apache
Status: Apache Ranger
Vendor: CVE Published:; 14 June 2017

Summary

The policy resource matcher in Apache Ranger prior to version 0.7.1 contains a flaw whereby it fails to properly process input that includes characters following the '*' wildcard. This limitation allows for potential manipulations that lead to unintended behavior in resource matching, disrupting security policies that rely on accurate resource identification.

Affected Version(s)

Apache Ranger 0.5.x

Apache Ranger 0.6.x

Apache Ranger 0.7.0

References

https://cwiki.apache.org/confluence/display/RANGER/Vulner...

x_refsource_CONFIRM

http://www.securityfocus.com/bid/98958

vdb-entryx_refsource_BID

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jun 14, 2017
Vulnerability Reserved
Apr 11, 2017