CVE-2024-45479

Critical

Published: 21 January 2025

Published

21 January 2025

Modified

10 June 2025

KEV Added

—

Patch

—

CVSS Score 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

EPSS Score 0.0029 52.0th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-45479 is a critical-severity SSRF (CWE-918) vulnerability in Apache Ranger. Its CVSS base score is 9.1 (Critical).

Operationally, ranked in the top 48.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly remediates the SSRF vulnerability by identifying, reporting, and applying the vendor-recommended patch to upgrade Apache Ranger from 2.4.0 to 2.5.0.

SI-10 Information Input Validation good match

prevent

Prevents SSRF exploitation by validating user inputs to the Edit Service Page in Apache Ranger UI, blocking malicious URLs or parameters that trigger unauthorized server-side requests.

SC-7 Boundary Protection partial match

prevent

Mitigates SSRF impact by monitoring and controlling communications at boundaries, isolating the publicly accessible Apache Ranger UI from internal networks to block access to sensitive resources.

NVD Description

SSRF vulnerability in Edit Service Page of Apache Ranger UI in Apache Ranger Version 2.4.0. Users are recommended to upgrade to version Apache Ranger 2.5.0, which fixes this issue.

Deeper analysisAI

CVE-2024-45479 is a Server-Side Request Forgery (SSRF) vulnerability, classified under CWE-918, affecting the Edit Service Page of the Apache Ranger UI in Apache Ranger version 2.4.0. This flaw allows attackers to manipulate server-side requests, potentially leading to unauthorized access to internal resources. The vulnerability carries a CVSS v3.1 base score of 9.1 (Critical), reflecting its network accessibility, low attack complexity, lack of required privileges or user interaction, and high impacts on confidentiality and integrity with no availability disruption.

Any unauthenticated attacker with network access can exploit this vulnerability by interacting with the affected Edit Service Page in the Apache Ranger UI. Successful exploitation enables high confidentiality impact, such as reading sensitive internal data or services not directly accessible externally, and high integrity impact, potentially allowing modification of targeted resources through forged requests, without affecting system availability.

Apache advisories recommend upgrading to Apache Ranger version 2.5.0, which resolves this issue. Additional details are available in the Apache Ranger vulnerabilities wiki at https://cwiki.apache.org/confluence/display/RANGER/Vulnerabilities+found+in+Ranger and the oss-security mailing list announcement at http://www.openwall.com/lists/oss-security/2025/01/21/4.

Details

CWE(s): CWE-918

Affected Products

apache

ranger

2.4.0 — 2.5.0

CVEs Like This One

CVE-2024-55532Same product: Apache Ranger

CVE-2025-59059Same product: Apache Ranger

CVE-2026-42404Same vendor: Apache

CVE-2026-34476Same vendor: Apache

CVE-2026-40010Same vendor: Apache

CVE-2024-43166Same vendor: Apache

CVE-2025-58130Same vendor: Apache

CVE-2026-33266Same vendor: Apache

CVE-2026-42027Same vendor: Apache

CVE-2025-24783Same vendor: Apache

References

https://cwiki.apache.org/confluence/display/RANGER/Vulnerabilities+found+in+Ranger
Vendor Advisory · security@apache.org
http://www.openwall.com/lists/oss-security/2025/01/21/4
Mailing List, Third Party Advisory · af854a3a-2127-422b-91ae-364da2661108