CVE-2016-0733
CRITICALApache Ranger < 0.5.1 - Unauthenticated Authentication Bypass via Missing Password
Title source: llmDescription
The Admin UI in Apache Ranger before 0.5.1 does not properly handle authentication requests that lack a password, which allows remote attackers to bypass authentication by leveraging knowledge of a valid username.
References (4)
Core 4
Core References
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/82871
Various Sources mailing-list
x_refsource_mlist
https://mail-archives.apache.org/mod_mbox/ranger-dev/201602.mbox/%3CD2D9A4C5.114ECA%25vel%40apache.org%3E
Vendor Advisory x_refsource_confirm
https://issues.apache.org/jira/browse/RANGER-835
Vendor Advisory x_refsource_confirm
https://cwiki.apache.org/confluence/display/RANGER/Vulnerabilities+found+in+Ranger
Scores
CVSS v3
9.8
EPSS
0.0165
EPSS Percentile
82.3%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-287
Status
published
Products (2)
apache/ranger
< 0.5.0
org.apache.ranger/ranger
0 - 0.5.1Maven
Published
Apr 12, 2016
Tracked Since
Feb 18, 2026