CVE-2024-45479

CVE-2024-45479 is a Server-Side Request Forgery (SSRF) vulnerability, classified under CWE-918, affecting the Edit Service Page of the Apache Ranger UI in Apache Ranger version 2.4.0. This flaw allows attackers to manipulate server-side requests, potentially leading to unauthorized access to internal resources. The vulnerability carries a CVSS v3.1 base score of 9.1 (Critical), reflecting its network accessibility, low attack complexity, lack of required privileges or user interaction, and high impacts on confidentiality and integrity with no availability disruption.

Any unauthenticated attacker with network access can exploit this vulnerability by interacting with the affected Edit Service Page in the Apache Ranger UI. Successful exploitation enables high confidentiality impact, such as reading sensitive internal data or services not directly accessible externally, and high integrity impact, potentially allowing modification of targeted resources through forged requests, without affecting system availability.

Apache advisories recommend upgrading to Apache Ranger version 2.5.0, which resolves this issue. Additional details are available in the Apache Ranger vulnerabilities wiki at https://cwiki.apache.org/confluence/display/RANGER/Vulnerabilities+found+in+Ranger and the oss-security mailing list announcement at http://www.openwall.com/lists/oss-security/2025/01/21/4.