CVE-2024-55532
Published: 03 March 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2024-55532 is an improper neutralization of formula elements vulnerability in the Export CSV feature of Apache Ranger versions prior to 2.6.0. Published on March 3, 2025, this flaw (mapped to CWE-1236) carries a CVSS v3.1 base score of 9.8, indicating critical severity due to its network accessibility, low attack complexity, lack of required privileges or user interaction, and high impacts across confidentiality, integrity, and availability.
Remote unauthenticated attackers can exploit this vulnerability over the network by triggering the Export CSV functionality, potentially leading to severe consequences such as unauthorized data access, modification, or disruption, as reflected in the high CVSS impact metrics (C:H/I:H/A:H) with unchanged scope.
Apache advisories recommend upgrading to Ranger version 2.6.0, which addresses the issue. Additional details are available in the Apache Ranger vulnerabilities wiki at https://cwiki.apache.org/confluence/display/RANGER/Vulnerabilities+found+in+Ranger and the oss-security mailing list announcement at http://www.openwall.com/lists/oss-security/2025/03/03/2.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability allows remote unauthenticated attackers to exploit the Export CSV feature in the public-facing Apache Ranger web application, directly mapping to T1190 Exploit Public-Facing Application.