CVE-2016-8746: Apache Ranger policy engine incorrectly matches paths in certain conditions
5.9
CVSS Score
3.0
Basic Information
CVE ID
GHSA ID
EPSS Score
0.66578%
CWE
Published
10/17/2018
Updated
11/21/2023
KEV Status
No
Technology
Java
Technical Details
CVSS Vector
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
org.apache.ranger:ranger-plugins-common | maven | < 0.6.3 | 0.6.3 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from incorrect wildcard handling in resource matchers when policies have recursion enabled but no wildcards. The commit 2fcd7f7 modifies these two functions to: 1) Remove lenient wildcard checks in RangerAbstractResourceMatcher
, and 2) Explicitly handle single '*' wildcards in RangerPathResourceMatcher
. These changes directly address the path matching logic described in CVE-2016-8746
, confirming these functions as the root cause.