Apache Ranger: code execution vulnerability in policy expressions
CVE-2022-45048

8.8HIGH

Key Information:

Vendor: Apache
Status: Apache Ranger
Vendor: CVE Published:; 5 May 2023

Summary

Authenticated users with the necessary privileges in Apache Ranger can exploit a vulnerability by creating specific policies that trigger arbitrary code execution. This flaw affects version 2.3.0, with users urged to upgrade to version 2.4.0 to mitigate the risk. It is crucial for organizations using this software to perform timely updates and enhance their security posture.

Affected Version(s)

Apache Ranger 2.3.0

References

https://lists.apache.org/thread/6rpzwy1smdhr60tsh1ydknn3k...

vendor-advisory

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
May 5, 2023
Vulnerability Reserved
Nov 8, 2022

Credit

[email protected]