Cyber Resilience

CVE-2024-45479

Critical

Published: 21 January 2025

Published
21 January 2025
Modified
10 June 2025
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0029 52.4th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-45479 is a critical-severity SSRF (CWE-918) vulnerability in Apache Ranger. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 47.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2024-45479 is a Server-Side Request Forgery (SSRF) vulnerability, classified under CWE-918, affecting the Edit Service Page of the Apache Ranger UI in Apache Ranger version 2.4.0. This flaw allows attackers to manipulate server-side requests, potentially leading to unauthorized access to internal resources. The vulnerability carries a CVSS v3.1 base score of 9.1 (Critical), reflecting its network accessibility, low attack complexity, lack of required privileges or user interaction, and high impacts on confidentiality and integrity with no availability disruption.

Any unauthenticated attacker with network access can exploit this vulnerability by interacting with the affected Edit Service Page in the Apache Ranger UI. Successful exploitation enables high confidentiality impact, such as reading sensitive internal data or services not directly accessible externally, and high integrity impact, potentially allowing modification of targeted resources through forged requests, without affecting system availability.

Apache advisories recommend upgrading to Apache Ranger version 2.5.0, which resolves this issue. Additional details are available in the Apache Ranger vulnerabilities wiki at https://cwiki.apache.org/confluence/display/RANGER/Vulnerabilities+found+in+Ranger and the oss-security mailing list announcement at http://www.openwall.com/lists/oss-security/2025/01/21/4.

EU & UK References

Vulnerability details

SSRF vulnerability in Edit Service Page of Apache Ranger UI in Apache Ranger Version 2.4.0. Users are recommended to upgrade to version Apache Ranger 2.5.0, which fixes this issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1046 Network Service Discovery Discovery
Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation.
Why these techniques?

SSRF in public-facing Ranger UI directly enables T1190 exploitation; forged requests facilitate internal network/service probing (T1046).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-55532Same product: Apache Ranger
CVE-2025-59059Same product: Apache Ranger
CVE-2026-42404Same vendor: Apache
CVE-2026-31910Same vendor: Apache
CVE-2026-29226Same vendor: Apache
CVE-2026-34476Same vendor: Apache
CVE-2026-27446Same vendor: Apache
CVE-2024-32838Same vendor: Apache
CVE-2024-13924Shared CWE-918
CVE-2026-42860Shared CWE-918

Affected Assets

apache
ranger
2.4.0 — 2.5.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the SSRF vulnerability by identifying, reporting, and applying the vendor-recommended patch to upgrade Apache Ranger from 2.4.0 to 2.5.0.

prevent

Prevents SSRF exploitation by validating user inputs to the Edit Service Page in Apache Ranger UI, blocking malicious URLs or parameters that trigger unauthorized server-side requests.

prevent

Mitigates SSRF impact by monitoring and controlling communications at boundaries, isolating the publicly accessible Apache Ranger UI from internal networks to block access to sensitive resources.

References