CVE-2024-45478

Published Jan 21, 2025

Last updated 9 months ago

CVSS medium 4.8

Overview

Description
Stored XSS vulnerability in Edit Service Page of Apache Ranger UI in Apache Ranger Version 2.4.0. Users are recommended to upgrade to version Apache Ranger 2.5.0, which fixes this issue.
Source
security@apache.org
NVD status
Analyzed
Products
ranger

Risk scores

CVSS 3.1

Type
Secondary
Base score
4.8
Impact score
2.7
Exploitability score
1.7
Vector string
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Severity
MEDIUM

Weaknesses

security@apache.org
CWE-20
nvd@nist.gov
CWE-79

Social media

Hype score
Not currently trending

  1. CVE-2024-45478: Apache Ranger: Stored XSS in Edit Service page - Add logic to validate user input https://t.co/GEXQiLMQM4 CVE-2024-45479: Apache Ranger: SSRF in Edit Service page - Add logic to filter requests to localhost https://t.co/69QwH6efkR

    @oss_security

    21 Jan 2025

    136 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. Hostname verification bypass issue in Apache Ranger NiFiRegistryClient/NiFiClient is reported in Apache Ranger versions <= 2.7.0. Users are recommended to upgrade to version 2.8.0, which fixes this issue.CVE-2025-59060
  2. Remote Code Execution Vulnerability in NashornScriptEngineCreator is reported in Apache Ranger versions <= 2.7.0. Users are recommended to upgrade to version 2.8.0, which fixes this issue.CVE-2025-59059
  3. SSRF vulnerability in Edit Service Page of Apache Ranger UI in Apache Ranger Version 2.4.0. Users are recommended to upgrade to version Apache Ranger 2.5.0, which fixes this issue.CVE-2024-45479

References

Sources include official advisories and independent security research.