CRITICAL🇵🇱 Wersja polska

CVE-2025-59059

CVSS 9.8v3.1pub. 2026-03-03upd. 2026-03-05

Remote Code Execution Vulnerability in NashornScriptEngineCreator is reported in Apache Ranger versions <= 2.7.0. Users are recommended to upgrade to version 2.8.0, which fixes this issue.

🤖 AI Analysis
How it works

The vulnerability (CWE-94 — improper control of code generation) consists of unsafe use of the Nashorn script engine, which allows injection and execution of untrusted code. An attacker can deliver a crafted payload over the network without needing any privileges or user interaction. The network attack vector (AV:N) with no required privileges (PR:N) and user interaction (UI:N) makes this vulnerability particularly dangerous.

Impact

An attacker can gain full control over the server, obtaining access to sensitive data, modifying it, or causing service unavailability (complete breach of confidentiality, integrity, and availability).

Mitigation & patch

Apache Ranger should be updated as soon as possible to version 2.8.0, which contains a patch eliminating this vulnerability. Details available in the vendor's references: https://lists.apache.org/thread/z47q86rho80390lf2qcmoc2josvs0gtv

Who is affected

Apache Ranger versions 2.7.0 and earlier

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Apache Ranger

    APP
    Apache
    < 2.8.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCE
CWE
References

Related vulnerabilities

CVE-2024-55532CRITICAL9.8PL ✓ten sam produkt

CSV Injection w funkcji eksportu Apache Ranger (wersje < 2.6.0)

CVE-2024-45479CRITICAL9.1PL ✓ten sam produkt

SSRF w Apache Ranger UI — podatność na stronie edycji usług

CVE-2017-7676CRITICAL9.8ten sam produkt

Policy resource matcher in Apache Ranger before 0.7.1 ignores characters after '*' wildcard character - like m...

CVE-2016-0733CRITICAL9.8ten sam produkt

The Admin UI in Apache Ranger before 0.5.1 does not properly handle authentication requests that lack a passwo...

CVE-2021-40331HIGH8.1ten sam produkt

An Incorrect Permission Assignment for Critical Resource vulnerability was found in the Apache Ranger Hive Plu...