You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Exploit Title: Insecure Permissions in Apache Ranger Version: 3.0.0
Date: 19/02/2024
Exploit Author: Gozan
Contact: https://github.com/gozan10
Product: Apache Ranger (https://github.com/apache/ranger)
Vendor: Apache Ranger
Description: Can edit information under the management rights of other users in module Settings->Users->User Edit
First, click on the user that belongs to another user's management and editing rights (Use burpsuite to view detailed information)
Data fields such as: first name, email, group, password, role,... are not allowed to be edited.
Then we use burpsuite to edit. API edit (http://host/service/xusers/secure/users/{id})
Edit data fields such as: first name, email, group, password, role...
result
The text was updated successfully, but these errors were encountered:
Exploit Title: Insecure Permissions in Apache Ranger Version: 3.0.0
Date: 19/02/2024
Exploit Author: Gozan
Contact: https://github.com/gozan10
Product: Apache Ranger (https://github.com/apache/ranger)
Vendor: Apache Ranger
Description: Can edit information under the management rights of other users in module Settings->Users->User Edit
First, click on the user that belongs to another user's management and editing rights (Use burpsuite to view detailed information)
Data fields such as: first name, email, group, password, role,... are not allowed to be edited.
Then we use burpsuite to edit. API edit (http://host/service/xusers/secure/users/{id})
Edit data fields such as: first name, email, group, password, role...
result
The text was updated successfully, but these errors were encountered: