CVE-2015-0266 — Apache Ranger allows users to bypass intended access restrictions via direct acc

Description

The Policy Admin Tool in Apache Ranger before 0.5.0 allows remote authenticated users to bypass intended access restrictions via direct access to module URLs.

How to fix CVE-2015-0266

To remediate CVE-2015-0266, upgrade the affected package to a fixed version below.

Maven/org.apache.ranger:ranger—upgrade to 0.5.0 or later

Is CVE-2015-0266 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 0.5.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.1	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N

References (7)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2015-0266
PATCHgithub.com/apache/ranger
WEBcwiki.apache.org/confluence/display/RANGER/Vulnerabilities+found+in+Ranger
WEBmail-archives.apache.org/mod_mbox/ranger-dev/201508.mbox/%3CD1E7EC30.9D53F%25vel%40apache.org%3E