Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.3
Apache Ranger: Hackers Can Fake Certificate, Steal Data
CVE-2025-59060
GHSA-5fvg-qwcp-r325
Summary
Apache Ranger versions 2.7.0 and earlier have a security weakness that could allow attackers to pretend to be a trusted server. This could let them steal sensitive information. To fix this, update to version 2.8.0 or later.
What to do
- Update apache org.apache.ranger:ranger-nifi-registry-plugin to version 2.8.0.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| apache | org.apache.ranger:ranger-nifi-registry-plugin | <= 2.8.0 | 2.8.0 |
| apache | ranger | <= 2.8.0 | – |
Original title
Apache Ranger Vulnerable to Improper Validation of Certificate with Host Mismatch
Original description
Hostname verification bypass issue in Apache Ranger NiFiRegistryClient/NiFiClient is reported in Apache Ranger versions <= 2.7.0.
Users are recommended to upgrade to version 2.8.0, which fixes this issue.
Users are recommended to upgrade to version 2.8.0, which fixes this issue.
nvd CVSS3.1
5.3
Vulnerability type
CWE-297
- https://lists.apache.org/thread/c4plx81z3xs86vgl3fd95y3q7hhtff05 Mailing List Vendor Advisory
- http://www.openwall.com/lists/oss-security/2026/03/02/4 Mailing List Third Party Advisory
- https://nvd.nist.gov/vuln/detail/CVE-2025-59060
- https://github.com/advisories/GHSA-5fvg-qwcp-r325
Published: 3 Mar 2026 · Updated: 13 Mar 2026 · First seen: 6 Mar 2026