Miggo Logo
Book a Demo
Miggo Vulnerability Database
CVE-2016-2174

CVE-2016-2174:
SQL injection vulnerability in the policy admin tool in Apache Ranger

7.2

CVSS Score

Basic Information

CVE ID
CVE-2016-2174
GHSA ID
GHSA-4rjf-mxfm-98h5
EPSS Score
-
CWE
CWE-89
Published
10/17/2018
Updated
1/9/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.apache.ranger:rangermaven< 0.5.30.5.3

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from unparameterized SQL queries using the eventTime parameter. The primary vulnerable function would be the Data Access Object (DAO) method that handled policy queries with eventTime parameters using string concatenation, as indicated by the patch note about replacing native queries with JPA named queries. The REST controller endpoint that accepts the eventTime parameter and passes it to the DAO would appear in call stacks during exploitation. While we don't have exact patch diffs, the CVE description explicitly identifies both the vulnerable parameter (eventTime) and the mitigation strategy (JPA named queries), strongly indicating database access functions handling this parameter were vulnerable.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

SQL inj**tion vuln*r**ility in t** poli*y **min tool in *p**** R*n**r ***or* *.*.* *llows r*mot* *ut**nti**t** **ministr*tors to *x**ut* *r*itr*ry SQL *omm*n*s vi* t** *v*ntTim* p*r*m*t*r to s*rvi**/plu*ins/poli*i*s/*v*ntTim*.

Reasoning

T** vuln*r**ility st*ms *rom unp*r*m*t*riz** SQL qu*ri*s usin* t** *v*ntTim* p*r*m*t*r. T** prim*ry vuln*r**l* *un*tion woul* ** t** **t* ****ss O*j**t (**O) m*t*o* t**t **n*l** poli*y qu*ri*s wit* *v*ntTim* p*r*m*t*rs usin* strin* *on**t*n*tion, *s