Search
Find a vulnerability
Search criteria
42 vulnerabilities found for Apache Zeppelin by Apache Software Foundation
CVE-2024-51775 (GCVE-0-2024-51775)
Vulnerability from nvd – Published: 2025-08-03 10:13 – Updated: 2025-11-04 21:09
VLAI
Title
Apache Zeppelin: Command Injection via CSWSH
Summary
Missing Origin Validation in WebSockets vulnerability in Apache Zeppelin.
The attacker could access the Zeppelin server from another origin without any restriction, and get internal information about paragraphs.
This issue affects Apache Zeppelin: from 0.11.1 before 0.12.0.
Users are recommended to upgrade to version 0.12.0, which fixes the issue.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-1385 - Missing Origin Validation in WebSockets
Assigner
References
2 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Zeppelin |
Affected:
0.11.1 , < 0.12.0
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-51775",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-05T15:23:52.792934Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-05T15:24:11.780Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-04T21:09:01.910Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/08/03/5"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "org.apache.zeppelin:zeppelin-shell",
"product": "Apache Zeppelin",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "0.12.0",
"status": "affected",
"version": "0.11.1",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Calum Hutton"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMissing Origin Validation in WebSockets vulnerability in Apache Zeppelin.\u003c/p\u003eThe attacker could access the Zeppelin server from another origin without any restriction, and get internal information about paragraphs.\u0026nbsp;\u003cbr\u003e\u003cp\u003eThis issue affects Apache Zeppelin: from 0.11.1 before 0.12.0.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 0.12.0, which fixes the issue.\u003c/p\u003e"
}
],
"value": "Missing Origin Validation in WebSockets vulnerability in Apache Zeppelin.\n\nThe attacker could access the Zeppelin server from another origin without any restriction, and get internal information about paragraphs.\u00a0\nThis issue affects Apache Zeppelin: from 0.11.1 before 0.12.0.\n\nUsers are recommended to upgrade to version 0.12.0, which fixes the issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1385",
"description": "CWE-1385 Missing Origin Validation in WebSockets",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-03T10:13:17.467Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/apache/zeppelin/pull/4823"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache Zeppelin: Command Injection via CSWSH",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-51775",
"datePublished": "2025-08-03T10:13:17.467Z",
"dateReserved": "2024-11-02T13:39:42.909Z",
"dateUpdated": "2025-11-04T21:09:01.910Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-52279 (GCVE-0-2024-52279)
Vulnerability from nvd – Published: 2025-08-03 10:02 – Updated: 2025-11-04 21:09
VLAI
Title
Apache Zeppelin: Arbitrary file read by adding malicious JDBC connection string
Summary
Improper Input Validation vulnerability in Apache Zeppelin. The fix for JDBC URL validation in CVE-2024-31864 did not account for URL encoded input.
This issue affects Apache Zeppelin: from 0.11.1 before 0.12.0.
Users are recommended to upgrade to version 0.12.0, which fixes the issue.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-20 - Improper Input Validation
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://github.com/apache/zeppelin/pull/4838 | patch |
| https://issues.apache.org/jira/browse/ZEPPELIN-6095 | issue-tracking |
| https://www.cve.org/CVERecord?id=CVE-2024-31864 | issue-tracking |
| https://lists.apache.org/thread/dxb98vgrb21rrl3k0… | vendor-advisory |
| http://www.openwall.com/lists/oss-security/2025/08/03/3 |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Zeppelin |
Affected:
0.11.1 , < 0.12.0
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-52279",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-05T15:24:44.320475Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-05T15:25:06.848Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-04T21:09:03.247Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/08/03/3"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "org.apache.zeppelin:zeppelin-jdbc",
"product": "Apache Zeppelin",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "0.12.0",
"status": "affected",
"version": "0.11.1",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "H Ming"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eImproper Input Validation vulnerability in Apache Zeppelin. The fix for JDBC URL validation in CVE-2024-31864 did not account for URL encoded input.\u003c/p\u003e\u003cp\u003eThis issue affects Apache Zeppelin: from 0.11.1 before 0.12.0.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 0.12.0, which fixes the issue.\u003c/p\u003e"
}
],
"value": "Improper Input Validation vulnerability in Apache Zeppelin. The fix for JDBC URL validation in CVE-2024-31864 did not account for URL encoded input.\n\nThis issue affects Apache Zeppelin: from 0.11.1 before 0.12.0.\n\nUsers are recommended to upgrade to version 0.12.0, which fixes the issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-03T10:02:05.153Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/apache/zeppelin/pull/4838"
},
{
"tags": [
"issue-tracking"
],
"url": "https://issues.apache.org/jira/browse/ZEPPELIN-6095"
},
{
"tags": [
"issue-tracking"
],
"url": "https://www.cve.org/CVERecord?id=CVE-2024-31864"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/dxb98vgrb21rrl3k0fzonpk66onr6o4q"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache Zeppelin: Arbitrary file read by adding malicious JDBC connection string",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-52279",
"datePublished": "2025-08-03T10:02:05.153Z",
"dateReserved": "2024-11-06T09:19:55.078Z",
"dateUpdated": "2025-11-04T21:09:03.247Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-41177 (GCVE-0-2024-41177)
Vulnerability from nvd – Published: 2025-08-03 10:09 – Updated: 2025-11-04 21:08
VLAI
Title
Apache Zeppelin: XSS in the Helium module
Summary
Incomplete Blacklist to Cross-Site Scripting vulnerability in Apache Zeppelin.
This issue affects Apache Zeppelin: before 0.12.0.
Users are recommended to upgrade to version 0.12.0, which fixes the issue.
Severity
6.1 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
4 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Zeppelin |
Affected:
0 , < 0.12.0
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-41177",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-04T13:20:16.874641Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-04T13:21:36.476Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-04T21:08:43.404Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/08/03/4"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "org.apache.zeppelin:zeppelin-web",
"product": "Apache Zeppelin",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "0.12.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "H Ming"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIncomplete Blacklist to Cross-Site Scripting vulnerability in Apache Zeppelin.\u003c/p\u003e\u003cp\u003eThis issue affects Apache Zeppelin: before 0.12.0.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 0.12.0, which fixes the issue.\u003c/p\u003e"
}
],
"value": "Incomplete Blacklist to Cross-Site Scripting vulnerability in Apache Zeppelin.\n\nThis issue affects Apache Zeppelin: before 0.12.0.\n\nUsers are recommended to upgrade to version 0.12.0, which fixes the issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-03T10:09:43.302Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/apache/zeppelin/pull/4755"
},
{
"tags": [
"patch"
],
"url": "https://github.com/apache/zeppelin/pull/4795"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/nwh8vh9f3pnvt04n8z4g2kbddh62blr6"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache Zeppelin: XSS in the Helium module",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-41177",
"datePublished": "2025-08-03T10:09:43.302Z",
"dateReserved": "2024-07-17T14:51:36.965Z",
"dateUpdated": "2025-11-04T21:08:43.404Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-41169 (GCVE-0-2024-41169)
Vulnerability from nvd – Published: 2025-07-12 16:22 – Updated: 2025-11-04 21:08
VLAI
Title
Apache Zeppelin: raft directory listing and file read
Summary
The attacker can use the raft server protocol in an unauthenticated way. The attacker can see the server's resources, including directories and files.
This issue affects Apache Zeppelin: from 0.10.1 up to 0.12.0.
Users are recommended to upgrade to version 0.12.0, which fixes the issue by removing the Cluster Interpreter.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-664 - Improper Control of a Resource Through its Lifetime
Assigner
References
4 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Zeppelin |
Affected:
0.10.1 , < 0.12.0
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-41169",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-14T15:41:04.363543Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-14T15:42:07.486Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-04T21:08:42.107Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/07/13/1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "org.apache.zeppelin:zeppelin-server",
"product": "Apache Zeppelin",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "0.12.0",
"status": "affected",
"version": "0.10.1",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "SuperX \u003csuperxyyang@gmail.com\u003e"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe attacker can use the raft server protocol in an unauthenticated way. The attacker can see the server\u0027s resources, including directories and files.\u003c/p\u003e\u003cp\u003eThis issue affects Apache Zeppelin: from 0.10.1 up to 0.12.0.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 0.12.0,\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003ewhich fixes the issue by removing the Cluster Interpreter.\u003c/span\u003e\u003c/p\u003e"
}
],
"value": "The attacker can use the raft server protocol in an unauthenticated way. The attacker can see the server\u0027s resources, including directories and files.\n\nThis issue affects Apache Zeppelin: from 0.10.1 up to 0.12.0.\n\nUsers are recommended to upgrade to version 0.12.0,\u00a0which fixes the issue by removing the Cluster Interpreter."
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-664",
"description": "CWE-664 Improper Control of a Resource Through its Lifetime",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-12T16:22:35.724Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/apache/zeppelin/pull/4841"
},
{
"tags": [
"issue-tracking"
],
"url": "https://issues.apache.org/jira/browse/ZEPPELIN-6101"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/moyym04993c8owh4h0qj98r43tbo8qdd"
}
],
"source": {
"advisory": "ZEPPELIN-6101",
"defect": [
"https://issues.apache.org/jira/browse/ZEPPELIN-6101"
],
"discovery": "UNKNOWN"
},
"title": "Apache Zeppelin: raft directory listing and file read",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-41169",
"datePublished": "2025-07-12T16:22:35.724Z",
"dateReserved": "2024-07-17T08:42:21.067Z",
"dateUpdated": "2025-11-04T21:08:42.107Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-31867 (GCVE-0-2024-31867)
Vulnerability from nvd – Published: 2024-04-09 16:15 – Updated: 2025-02-13 17:52
VLAI
Title
Apache Zeppelin: LDAP search filter query Injection Vulnerability
Summary
Improper Input Validation vulnerability in Apache Zeppelin.
The attackers can execute malicious queries by setting improper configuration properties to LDAP search filter.
This issue affects Apache Zeppelin: from 0.8.2 before 0.11.1.
Users are recommended to upgrade to version 0.11.1, which fixes the issue.
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-20 - Improper Input Validation
Assigner
References
3 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Zeppelin |
Affected:
0.8.2 , < 0.11.1
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-31867",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-04-10T19:22:49.563785Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-06T20:51:43.890Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:59:49.387Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"patch",
"x_transferred"
],
"url": "https://github.com/apache/zeppelin/pull/4714"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/s4scw8bxdhrjs0kg0lhb68xqd8y9lrtf"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/04/09/12"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "org.apache.zeppelin:zeppelin-server",
"product": "Apache Zeppelin",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "0.11.1",
"status": "affected",
"version": "0.8.2",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Qing Xu"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Input Validation vulnerability in Apache Zeppelin.\u003cbr\u003e\u003cbr\u003eThe attackers can execute malicious queries by setting improper configuration properties to LDAP search filter.\u003cbr\u003e\u003cp\u003eThis issue affects Apache Zeppelin: from 0.8.2 before 0.11.1.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 0.11.1, which fixes the issue.\u003c/p\u003e"
}
],
"value": "Improper Input Validation vulnerability in Apache Zeppelin.\n\nThe attackers can execute malicious queries by setting improper configuration properties to LDAP search filter.\nThis issue affects Apache Zeppelin: from 0.8.2 before 0.11.1.\n\nUsers are recommended to upgrade to version 0.11.1, which fixes the issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-01T18:07:13.058Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/apache/zeppelin/pull/4714"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/s4scw8bxdhrjs0kg0lhb68xqd8y9lrtf"
},
{
"url": "http://www.openwall.com/lists/oss-security/2024/04/09/12"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache Zeppelin: LDAP search filter query Injection Vulnerability",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-31867",
"datePublished": "2024-04-09T16:15:47.978Z",
"dateReserved": "2024-04-06T11:51:11.435Z",
"dateUpdated": "2025-02-13T17:52:00.183Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-31868 (GCVE-0-2024-31868)
Vulnerability from nvd – Published: 2024-04-09 16:10 – Updated: 2024-11-04 16:12
VLAI
Title
Apache Zeppelin: XSS vulnerability in the helium module
Summary
Improper Encoding or Escaping of Output vulnerability in Apache Zeppelin.
The attackers can modify helium.json and exposure XSS attacks to normal users.
This issue affects Apache Zeppelin: from 0.8.2 before 0.11.1.
Users are recommended to upgrade to version 0.11.1, which fixes the issue.
Severity
6.1 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/apache/zeppelin/pull/4728 | patch |
| https://lists.apache.org/thread/55mqs673plsxmgnq7… | vendor-advisory |
| http://www.openwall.com/lists/oss-security/2024/0… | x_transferred |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Zeppelin |
Affected:
0.8.2 , < 0.11.1
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-31868",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-04-11T17:24:09.912394Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-04T16:12:40.294Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:59:50.569Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"patch",
"x_transferred"
],
"url": "https://github.com/apache/zeppelin/pull/4728"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/55mqs673plsxmgnq7fdf2flftpllyf11"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/04/09/11"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "org.apache.zeppelin:zeppelin-interpreter",
"product": "Apache Zeppelin",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "0.11.1",
"status": "affected",
"version": "0.8.2",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "H Ming"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Encoding or Escaping of Output vulnerability in Apache Zeppelin.\u003cbr\u003e\u003cbr\u003eThe attackers can modify helium.json and exposure XSS attacks to normal users.\u003cbr\u003e\u003cp\u003eThis issue affects Apache Zeppelin: from 0.8.2 before 0.11.1.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 0.11.1, which fixes the issue.\u003c/p\u003e"
}
],
"value": "Improper Encoding or Escaping of Output vulnerability in Apache Zeppelin.\n\nThe attackers can modify helium.json and exposure XSS attacks to normal users.\nThis issue affects Apache Zeppelin: from 0.8.2 before 0.11.1.\n\nUsers are recommended to upgrade to version 0.11.1, which fixes the issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-03T12:35:16.585Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/apache/zeppelin/pull/4728"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/55mqs673plsxmgnq7fdf2flftpllyf11"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache Zeppelin: XSS vulnerability in the helium module",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-31868",
"datePublished": "2024-04-09T16:10:30.671Z",
"dateReserved": "2024-04-06T11:51:21.885Z",
"dateUpdated": "2024-11-04T16:12:40.294Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-31866 (GCVE-0-2024-31866)
Vulnerability from nvd – Published: 2024-04-09 16:09 – Updated: 2025-02-13 17:51
VLAI
Title
Apache Zeppelin: Interpreter download command does not escape malicious code injection
Summary
Improper Encoding or Escaping of Output vulnerability in Apache Zeppelin.
The attackers can execute shell scripts or malicious code by overriding configuration like ZEPPELIN_INTP_CLASSPATH_OVERRIDES.
This issue affects Apache Zeppelin: from 0.8.2 before 0.11.1.
Users are recommended to upgrade to version 0.11.1, which fixes the issue.
Severity
9.8 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-116 - Improper Encoding or Escaping of Output
Assigner
References
3 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Zeppelin |
Affected:
0.8.2 , < 0.11.1
(semver)
|
|
| apache_software_foundation | apache_zeppelin |
Affected:
0.8.2 , < 0.11.1
(semver)
cpe:2.3:a:apache_software_foundation:apache_zeppelin:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:59:50.665Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"patch",
"x_transferred"
],
"url": "https://github.com/apache/zeppelin/pull/4715"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/jpkbq3oktopt34x2n5wnhzc2r1410ddd"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/04/09/10"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apache_software_foundation:apache_zeppelin:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "apache_zeppelin",
"vendor": "apache_software_foundation",
"versions": [
{
"lessThan": "0.11.1",
"status": "affected",
"version": "0.8.2",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-31866",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-21T13:59:15.091777Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-21T14:33:03.134Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "org.apache.zeppelin:zeppelin-interpreter",
"product": "Apache Zeppelin",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "0.11.1",
"status": "affected",
"version": "0.8.2",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Esa Hiltunen"
},
{
"lang": "en",
"type": "finder",
"value": "https://teragrep.com"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Encoding or Escaping of Output vulnerability in Apache Zeppelin.\u003cbr\u003e\u003cbr\u003eThe attackers can execute shell scripts or malicious code by overriding configuration like\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eZEPPELIN_INTP_CLASSPATH_OVERRIDES.\u003c/span\u003e\u003cbr\u003e\u003cp\u003eThis issue affects Apache Zeppelin: from 0.8.2 before 0.11.1.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 0.11.1, which fixes the issue.\u003c/p\u003e"
}
],
"value": "Improper Encoding or Escaping of Output vulnerability in Apache Zeppelin.\n\nThe attackers can execute shell scripts or malicious code by overriding configuration like\u00a0ZEPPELIN_INTP_CLASSPATH_OVERRIDES.\nThis issue affects Apache Zeppelin: from 0.8.2 before 0.11.1.\n\nUsers are recommended to upgrade to version 0.11.1, which fixes the issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-116",
"description": "CWE-116 Improper Encoding or Escaping of Output",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-01T18:07:49.092Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/apache/zeppelin/pull/4715"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/jpkbq3oktopt34x2n5wnhzc2r1410ddd"
},
{
"url": "http://www.openwall.com/lists/oss-security/2024/04/09/10"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache Zeppelin: Interpreter download command does not escape malicious code injection",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-31866",
"datePublished": "2024-04-09T16:09:12.117Z",
"dateReserved": "2024-04-06T11:51:00.551Z",
"dateUpdated": "2025-02-13T17:51:59.550Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-31865 (GCVE-0-2024-31865)
Vulnerability from nvd – Published: 2024-04-09 16:07 – Updated: 2025-02-13 17:48
VLAI
Title
Apache Zeppelin: Cron arbitrary user impersonation with improper privileges
Summary
Improper Input Validation vulnerability in Apache Zeppelin.
The attackers can call updating cron API with invalid or improper privileges so that the notebook can run with the privileges.
This issue affects Apache Zeppelin: from 0.8.2 before 0.11.1.
Users are recommended to upgrade to version 0.11.1, which fixes the issue.
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-20 - Improper Input Validation
Assigner
References
3 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Zeppelin |
Affected:
0.8.2 , < 0.11.1
(semver)
|
|
| apache | zeppelin |
Affected:
0.8.2
cpe:2.3:a:apache:zeppelin:0.8.2:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apache:zeppelin:0.8.2:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "zeppelin",
"vendor": "apache",
"versions": [
{
"status": "affected",
"version": "0.8.2"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-31865",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-04-22T18:48:59.403032Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:36:49.248Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:59:49.913Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"patch",
"x_transferred"
],
"url": "https://github.com/apache/zeppelin/pull/4631"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/slm1sf0slwc11f4m4r0nd6ot2rf7w81l"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/04/09/9"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "org.apache.zeppelin:zeppelin-server",
"product": "Apache Zeppelin",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "0.11.1",
"status": "affected",
"version": "0.8.2",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Esa Hiltunen"
},
{
"lang": "en",
"type": "finder",
"value": "https://teragrep.com"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eImproper Input Validation vulnerability in Apache Zeppelin.\u003c/p\u003e\u003cp\u003eThe attackers can call updating cron API with invalid or improper privileges so that the notebook can run with the privileges.\u003c/p\u003e\u003cp\u003eThis issue affects Apache Zeppelin: from 0.8.2 before 0.11.1.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 0.11.1, which fixes the issue.\u003c/p\u003e"
}
],
"value": "Improper Input Validation vulnerability in Apache Zeppelin.\n\nThe attackers can call updating cron API with invalid or improper privileges so that the notebook can run with the privileges.\n\nThis issue affects Apache Zeppelin: from 0.8.2 before 0.11.1.\n\nUsers are recommended to upgrade to version 0.11.1, which fixes the issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-01T18:11:41.213Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/apache/zeppelin/pull/4631"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/slm1sf0slwc11f4m4r0nd6ot2rf7w81l"
},
{
"url": "http://www.openwall.com/lists/oss-security/2024/04/09/9"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache Zeppelin: Cron arbitrary user impersonation with improper privileges",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-31865",
"datePublished": "2024-04-09T16:07:36.358Z",
"dateReserved": "2024-04-06T11:50:47.384Z",
"dateUpdated": "2025-02-13T17:48:06.867Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-31864 (GCVE-0-2024-31864)
Vulnerability from nvd – Published: 2024-04-09 16:05 – Updated: 2025-11-04 21:08
VLAI
Title
Apache Zeppelin: Remote code execution by adding malicious JDBC connection string
Summary
Improper Control of Generation of Code ('Code Injection') vulnerability in Apache Zeppelin.
The attacker can inject sensitive configuration or malicious code when connecting MySQL database via JDBC driver.
This issue affects Apache Zeppelin: before 0.11.1.
Users are recommended to upgrade to version 0.11.1, which fixes the issue.
Severity
9.8 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-94 - Improper Control of Generation of Code ('Code Injection')
Assigner
References
5 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Zeppelin |
Affected:
0 , < 0.11.1
(semver)
|
|
| apache | zeppelin |
Affected:
0 , < 0.11.1
(semver)
cpe:2.3:a:apache:zeppelin:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apache:zeppelin:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "zeppelin",
"vendor": "apache",
"versions": [
{
"lessThan": "0.11.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-31864",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-31T21:01:13.020171Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-31T21:03:11.993Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-04T21:08:35.546Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"patch",
"x_transferred"
],
"url": "https://github.com/apache/zeppelin/pull/4709"
},
{
"tags": [
"related",
"x_transferred"
],
"url": "https://www.cve.org/CVERecord?id=CVE-2020-11974"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/752qdk0rnkd9nqtornz734zwb7xdwcdb"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/04/09/8"
},
{
"url": "http://www.openwall.com/lists/oss-security/2025/08/03/3"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"product": "Apache Zeppelin",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "0.11.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "rg"
},
{
"lang": "en",
"type": "finder",
"value": "Nbxiglk"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Control of Generation of Code (\u0027Code Injection\u0027) vulnerability in Apache Zeppelin.\u003cbr\u003e\u003cbr\u003eThe attacker can inject sensitive configuration or malicious code when connecting MySQL database via JDBC driver.\u003cbr\u003e\u003cp\u003eThis issue affects Apache Zeppelin: before 0.11.1.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 0.11.1, which fixes the issue.\u003c/p\u003e"
}
],
"value": "Improper Control of Generation of Code (\u0027Code Injection\u0027) vulnerability in Apache Zeppelin.\n\nThe attacker can inject sensitive configuration or malicious code when connecting MySQL database via JDBC driver.\nThis issue affects Apache Zeppelin: before 0.11.1.\n\nUsers are recommended to upgrade to version 0.11.1, which fixes the issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-01T18:11:46.568Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/apache/zeppelin/pull/4709"
},
{
"tags": [
"related"
],
"url": "https://www.cve.org/CVERecord?id=CVE-2020-11974"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/752qdk0rnkd9nqtornz734zwb7xdwcdb"
},
{
"url": "http://www.openwall.com/lists/oss-security/2024/04/09/8"
}
],
"source": {
"defect": [
"ZEPPELIN-5990"
],
"discovery": "UNKNOWN"
},
"title": "Apache Zeppelin: Remote code execution by adding malicious JDBC connection string",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-31864",
"datePublished": "2024-04-09T16:05:32.690Z",
"dateReserved": "2024-04-06T11:50:37.125Z",
"dateUpdated": "2025-11-04T21:08:35.546Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-31863 (GCVE-0-2024-31863)
Vulnerability from nvd – Published: 2024-04-09 10:25 – Updated: 2025-03-25 18:21
VLAI
Title
Apache Zeppelin: Replacing other users notebook, bypassing any permissions
Summary
Authentication Bypass by Spoofing vulnerability by replacing to exsiting notes in Apache Zeppelin.This issue affects Apache Zeppelin: from 0.10.1 before 0.11.0.
Users are recommended to upgrade to version 0.11.0, which fixes the issue.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-290 - Authentication Bypass by Spoofing
Assigner
References
2 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Zeppelin |
Affected:
0.10.1 , < 0.11.0
(semver)
|
|
| apache | zeppelin |
Affected:
0.10.1 , < 0.11.0
(custom)
cpe:2.3:a:apache:zeppelin:0.10.1:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apache:zeppelin:0.10.1:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "zeppelin",
"vendor": "apache",
"versions": [
{
"lessThan": "0.11.0",
"status": "affected",
"version": "0.10.1",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-31863",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-25T18:20:37.629974Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-25T18:21:05.668Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:59:50.072Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/3od2gfpwllmtc9c5ggw04ohn8s7w3ct9"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/04/09/6"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "org.apache.zeppelin:zeppelin-server",
"product": "Apache Zeppelin",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "0.11.0",
"status": "affected",
"version": "0.10.1",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Esa Hiltunen"
},
{
"lang": "en",
"type": "finder",
"value": "https://teragrep.com"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Authentication Bypass by Spoofing vulnerability by replacing to exsiting notes in Apache Zeppelin.\u003cp\u003eThis issue affects Apache Zeppelin: from 0.10.1 before 0.11.0.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 0.11.0, which fixes the issue.\u003c/p\u003e"
}
],
"value": "Authentication Bypass by Spoofing vulnerability by replacing to exsiting notes in Apache Zeppelin.This issue affects Apache Zeppelin: from 0.10.1 before 0.11.0.\n\nUsers are recommended to upgrade to version 0.11.0, which fixes the issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-290",
"description": "CWE-290 Authentication Bypass by Spoofing",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-01T18:11:32.685Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/3od2gfpwllmtc9c5ggw04ohn8s7w3ct9"
},
{
"url": "http://www.openwall.com/lists/oss-security/2024/04/09/6"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache Zeppelin: Replacing other users notebook, bypassing any permissions",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-31863",
"datePublished": "2024-04-09T10:25:29.449Z",
"dateReserved": "2024-04-06T11:50:24.687Z",
"dateUpdated": "2025-03-25T18:21:05.668Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-31862 (GCVE-0-2024-31862)
Vulnerability from nvd – Published: 2024-04-09 09:40 – Updated: 2025-02-13 17:48
VLAI
Title
Apache Zeppelin: Denial of service with invalid notebook name
Summary
Improper Input Validation vulnerability in Apache Zeppelin when creating a new note from Zeppelin's UI.This issue affects Apache Zeppelin: from 0.10.1 before 0.11.0.
Users are recommended to upgrade to version 0.11.0, which fixes the issue.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-20 - Improper Input Validation
Assigner
References
3 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Zeppelin |
Affected:
0.10.1 , < 0.11.0
(semver)
|
|
| apache | zeppelin |
Affected:
0.10.1 , < 0.11.0
(semver)
cpe:2.3:a:apache:zeppelin:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:59:49.405Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"patch",
"x_transferred"
],
"url": "https://github.com/apache/zeppelin/pull/4632"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/73xdjx43yg4yz8bd4p3o8vzyybkysmn0"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/04/09/5"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apache:zeppelin:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "zeppelin",
"vendor": "apache",
"versions": [
{
"lessThan": "0.11.0",
"status": "affected",
"version": "0.10.1",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-31862",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-21T14:23:58.003132Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-21T14:30:40.495Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "org.apache.zeppelin:zeppelin-server",
"product": "Apache Zeppelin",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "0.11.0",
"status": "affected",
"version": "0.10.1",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Esa Hiltunen"
},
{
"lang": "en",
"type": "finder",
"value": "https://teragrep.com"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Input Validation vulnerability in Apache Zeppelin when creating a new note from Zeppelin\u0027s UI.\u003cp\u003eThis issue affects Apache Zeppelin: from 0.10.1 before 0.11.0.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 0.11.0, which fixes the issue.\u003c/p\u003e"
}
],
"value": "Improper Input Validation vulnerability in Apache Zeppelin when creating a new note from Zeppelin\u0027s UI.This issue affects Apache Zeppelin: from 0.10.1 before 0.11.0.\n\nUsers are recommended to upgrade to version 0.11.0, which fixes the issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-01T19:07:45.971Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/apache/zeppelin/pull/4632"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/73xdjx43yg4yz8bd4p3o8vzyybkysmn0"
},
{
"url": "http://www.openwall.com/lists/oss-security/2024/04/09/5"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache Zeppelin: Denial of service with invalid notebook name",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-31862",
"datePublished": "2024-04-09T09:40:39.495Z",
"dateReserved": "2024-04-06T11:50:12.789Z",
"dateUpdated": "2025-02-13T17:48:04.941Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-28656 (GCVE-0-2021-28656)
Vulnerability from nvd – Published: 2024-04-09 09:12 – Updated: 2025-02-13 16:27
VLAI
Title
Apache Zeppelin: CSRF vulnerability in the Credentials page
Summary
Cross-Site Request Forgery (CSRF) vulnerability in Credential page of Apache Zeppelin allows an attacker to submit malicious request. This issue affects Apache Zeppelin Apache Zeppelin version 0.9.0 and prior versions.
Severity
5.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
2 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Zeppelin |
Affected:
0 , ≤ 0.9.0
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2021-28656",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-04-10T18:54:51.213129Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-01T15:40:01.147Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-03T21:47:32.969Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/dttzkkv4qyn1rq2fdv1r94otb1osxztc"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/04/09/3"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache Zeppelin",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "0.9.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jiang Qingzhi"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Cross-Site Request Forgery (CSRF) vulnerability in Credential page of Apache Zeppelin allows an attacker to submit malicious request. This issue affects Apache Zeppelin Apache Zeppelin version 0.9.0 and prior versions."
}
],
"value": "Cross-Site Request Forgery (CSRF) vulnerability in Credential page of Apache Zeppelin allows an attacker to submit malicious request. This issue affects Apache Zeppelin Apache Zeppelin version 0.9.0 and prior versions."
}
],
"metrics": [
{
"other": {
"content": {
"text": "low"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-01T17:08:57.522Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/dttzkkv4qyn1rq2fdv1r94otb1osxztc"
},
{
"url": "http://www.openwall.com/lists/oss-security/2024/04/09/3"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache Zeppelin: CSRF vulnerability in the Credentials page",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2021-28656",
"datePublished": "2024-04-09T09:12:58.493Z",
"dateReserved": "2021-03-17T08:27:58.338Z",
"dateUpdated": "2025-02-13T16:27:59.379Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-31860 (GCVE-0-2024-31860)
Vulnerability from nvd – Published: 2024-04-09 09:08 – Updated: 2025-05-06 13:12
VLAI
Title
Apache Zeppelin: Path traversal vulnerability
Summary
Improper Input Validation vulnerability in Apache Zeppelin.
By adding relative path indicators(E.g ..), attackers can see the contents for any files in the filesystem that the server account can access.
This issue affects Apache Zeppelin: from 0.9.0 before 0.11.0.
Users are recommended to upgrade to version 0.11.0, which fixes the issue.
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/apache/zeppelin/pull/4632 | patch |
| https://lists.apache.org/thread/c0zfjnow3oc3dzc8w… | vendor-advisory |
| http://www.openwall.com/lists/oss-security/2024/04/09/2 | x_transferred |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Zeppelin |
Affected:
0.9.0 , < 0.11.0
(semver)
|
|
| apache | zeppelin |
Affected:
0.9.0
cpe:2.3:a:apache:zeppelin:0.9.0:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apache:zeppelin:0.9.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "zeppelin",
"vendor": "apache",
"versions": [
{
"status": "affected",
"version": "0.9.0"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-31860",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-04-22T18:40:26.643857Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:36:17.512Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:59:49.933Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"patch",
"x_transferred"
],
"url": "https://github.com/apache/zeppelin/pull/4632"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/c0zfjnow3oc3dzc8w5rbkzj8lqj5jm5x"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/04/09/2"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "org.apache.zeppelin:zeppelin-server",
"product": "Apache Zeppelin",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "0.11.0",
"status": "affected",
"version": "0.9.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Kai Zhao"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Input Validation vulnerability in Apache Zeppelin.\u003cbr\u003e\u003cbr\u003eBy adding relative path indicators(E.g ..), attackers can see the contents for any files in the filesystem that the server account can access.\u0026nbsp;\u003cbr\u003e\u003cp\u003eThis issue affects Apache Zeppelin: from 0.9.0 before 0.11.0.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 0.11.0, which fixes the issue.\u003c/p\u003e"
}
],
"value": "Improper Input Validation vulnerability in Apache Zeppelin.\n\nBy adding relative path indicators(E.g ..), attackers can see the contents for any files in the filesystem that the server account can access.\u00a0\nThis issue affects Apache Zeppelin: from 0.9.0 before 0.11.0.\n\nUsers are recommended to upgrade to version 0.11.0, which fixes the issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "low"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-06T13:12:31.467Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/apache/zeppelin/pull/4632"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/c0zfjnow3oc3dzc8w5rbkzj8lqj5jm5x"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache Zeppelin: Path traversal vulnerability",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-31860",
"datePublished": "2024-04-09T09:08:28.802Z",
"dateReserved": "2024-04-06T11:49:32.612Z",
"dateUpdated": "2025-05-06T13:12:31.467Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-46870 (GCVE-0-2022-46870)
Vulnerability from nvd – Published: 2022-12-16 12:55 – Updated: 2025-04-17 15:36
VLAI
Title
Apache Zeppelin: Stored XSS in note permissions
Summary
An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache Zeppelin allows logged-in users to execute arbitrary javascript in other users' browsers.
This issue affects Apache Zeppelin before 0.8.2. Users are recommended to upgrade to a supported version of Zeppelin.
Severity
5.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://lists.apache.org/thread/gb1wdnrm1095xw6qz… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Zeppelin |
Affected:
0 , < 0.8.2
(maven)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T14:39:39.095Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/gb1wdnrm1095xw6qznpsycfrht4lwbwc"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-46870",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-17T15:36:02.123744Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-17T15:36:28.153Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache Zeppelin",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "0.8.2",
"status": "affected",
"version": "0",
"versionType": "maven"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in Apache Zeppelin allows logged-in users to execute arbitrary javascript in other users\u0027 browsers.\u003cbr\u003e\u003cp\u003eThis issue affects Apache Zeppelin before 0.8.2. Users are recommended to upgrade to a supported version of Zeppelin.\u003cbr\u003e\u003c/p\u003e"
}
],
"value": "An Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in Apache Zeppelin allows logged-in users to execute arbitrary javascript in other users\u0027 browsers.\nThis issue affects Apache Zeppelin before 0.8.2. Users are recommended to upgrade to a supported version of Zeppelin.\n\n\n"
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-12-16T12:55:37.597Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/gb1wdnrm1095xw6qznpsycfrht4lwbwc"
}
],
"source": {
"defect": [
"ZEPPELIN-4333"
],
"discovery": "UNKNOWN"
},
"title": "Apache Zeppelin: Stored XSS in note permissions",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2022-46870",
"datePublished": "2022-12-16T12:55:37.597Z",
"dateReserved": "2022-12-09T14:04:31.289Z",
"dateUpdated": "2025-04-17T15:36:28.153Z",
"requesterUserId": "cf81350d-439c-4450-9d42-0a054bb6b6c9",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-28655 (GCVE-0-2021-28655)
Vulnerability from nvd – Published: 2022-12-16 12:51 – Updated: 2025-04-17 15:37
VLAI
Title
Apache Zeppelin: Arbitrary file deletion vulnerability
Summary
The improper Input Validation vulnerability in "”Move folder to Trash” feature of Apache Zeppelin allows an attacker to delete the arbitrary files. This issue affects Apache Zeppelin Apache Zeppelin version 0.9.0 and prior versions.
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-20 - Improper Input Validation
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://lists.apache.org/thread/bxs056g3xlsofz0jb… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Zeppelin |
Affected:
0 , ≤ 0.9.0
(custom)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T21:47:33.056Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/bxs056g3xlsofz0jb3wny9dw4llwptd2"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2021-28655",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-17T15:36:47.959954Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-17T15:37:14.575Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache Zeppelin",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "0.9.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Kai Zhao"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The improper Input Validation vulnerability in \"\u201dMove folder to Trash\u201d feature of Apache Zeppelin allows an attacker to delete the arbitrary files. This issue affects Apache Zeppelin Apache Zeppelin version 0.9.0 and prior versions."
}
],
"value": "The improper Input Validation vulnerability in \"\u201dMove folder to Trash\u201d feature of Apache Zeppelin allows an attacker to delete the arbitrary files. This issue affects Apache Zeppelin Apache Zeppelin version 0.9.0 and prior versions."
}
],
"metrics": [
{
"other": {
"content": {
"text": "important"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-12-19T12:55:19.145Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/bxs056g3xlsofz0jb3wny9dw4llwptd2"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache Zeppelin: Arbitrary file deletion vulnerability",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2021-28655",
"datePublished": "2022-12-16T12:51:51.927Z",
"dateReserved": "2021-03-17T08:27:06.184Z",
"dateUpdated": "2025-04-17T15:37:14.575Z",
"requesterUserId": "01d7ebfd-4418-401d-b8e4-f5ae3da29160",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-51775 (GCVE-0-2024-51775)
Vulnerability from cvelistv5 – Published: 2025-08-03 10:13 – Updated: 2025-11-04 21:09
VLAI
Title
Apache Zeppelin: Command Injection via CSWSH
Summary
Missing Origin Validation in WebSockets vulnerability in Apache Zeppelin.
The attacker could access the Zeppelin server from another origin without any restriction, and get internal information about paragraphs.
This issue affects Apache Zeppelin: from 0.11.1 before 0.12.0.
Users are recommended to upgrade to version 0.12.0, which fixes the issue.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-1385 - Missing Origin Validation in WebSockets
Assigner
References
2 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Zeppelin |
Affected:
0.11.1 , < 0.12.0
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-51775",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-05T15:23:52.792934Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-05T15:24:11.780Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-04T21:09:01.910Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/08/03/5"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "org.apache.zeppelin:zeppelin-shell",
"product": "Apache Zeppelin",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "0.12.0",
"status": "affected",
"version": "0.11.1",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Calum Hutton"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMissing Origin Validation in WebSockets vulnerability in Apache Zeppelin.\u003c/p\u003eThe attacker could access the Zeppelin server from another origin without any restriction, and get internal information about paragraphs.\u0026nbsp;\u003cbr\u003e\u003cp\u003eThis issue affects Apache Zeppelin: from 0.11.1 before 0.12.0.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 0.12.0, which fixes the issue.\u003c/p\u003e"
}
],
"value": "Missing Origin Validation in WebSockets vulnerability in Apache Zeppelin.\n\nThe attacker could access the Zeppelin server from another origin without any restriction, and get internal information about paragraphs.\u00a0\nThis issue affects Apache Zeppelin: from 0.11.1 before 0.12.0.\n\nUsers are recommended to upgrade to version 0.12.0, which fixes the issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1385",
"description": "CWE-1385 Missing Origin Validation in WebSockets",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-03T10:13:17.467Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/apache/zeppelin/pull/4823"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache Zeppelin: Command Injection via CSWSH",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-51775",
"datePublished": "2025-08-03T10:13:17.467Z",
"dateReserved": "2024-11-02T13:39:42.909Z",
"dateUpdated": "2025-11-04T21:09:01.910Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-41177 (GCVE-0-2024-41177)
Vulnerability from cvelistv5 – Published: 2025-08-03 10:09 – Updated: 2025-11-04 21:08
VLAI
Title
Apache Zeppelin: XSS in the Helium module
Summary
Incomplete Blacklist to Cross-Site Scripting vulnerability in Apache Zeppelin.
This issue affects Apache Zeppelin: before 0.12.0.
Users are recommended to upgrade to version 0.12.0, which fixes the issue.
Severity
6.1 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
4 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Zeppelin |
Affected:
0 , < 0.12.0
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-41177",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-04T13:20:16.874641Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-04T13:21:36.476Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-04T21:08:43.404Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/08/03/4"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "org.apache.zeppelin:zeppelin-web",
"product": "Apache Zeppelin",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "0.12.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "H Ming"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIncomplete Blacklist to Cross-Site Scripting vulnerability in Apache Zeppelin.\u003c/p\u003e\u003cp\u003eThis issue affects Apache Zeppelin: before 0.12.0.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 0.12.0, which fixes the issue.\u003c/p\u003e"
}
],
"value": "Incomplete Blacklist to Cross-Site Scripting vulnerability in Apache Zeppelin.\n\nThis issue affects Apache Zeppelin: before 0.12.0.\n\nUsers are recommended to upgrade to version 0.12.0, which fixes the issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-03T10:09:43.302Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/apache/zeppelin/pull/4755"
},
{
"tags": [
"patch"
],
"url": "https://github.com/apache/zeppelin/pull/4795"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/nwh8vh9f3pnvt04n8z4g2kbddh62blr6"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache Zeppelin: XSS in the Helium module",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-41177",
"datePublished": "2025-08-03T10:09:43.302Z",
"dateReserved": "2024-07-17T14:51:36.965Z",
"dateUpdated": "2025-11-04T21:08:43.404Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-52279 (GCVE-0-2024-52279)
Vulnerability from cvelistv5 – Published: 2025-08-03 10:02 – Updated: 2025-11-04 21:09
VLAI
Title
Apache Zeppelin: Arbitrary file read by adding malicious JDBC connection string
Summary
Improper Input Validation vulnerability in Apache Zeppelin. The fix for JDBC URL validation in CVE-2024-31864 did not account for URL encoded input.
This issue affects Apache Zeppelin: from 0.11.1 before 0.12.0.
Users are recommended to upgrade to version 0.12.0, which fixes the issue.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-20 - Improper Input Validation
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://github.com/apache/zeppelin/pull/4838 | patch |
| https://issues.apache.org/jira/browse/ZEPPELIN-6095 | issue-tracking |
| https://www.cve.org/CVERecord?id=CVE-2024-31864 | issue-tracking |
| https://lists.apache.org/thread/dxb98vgrb21rrl3k0… | vendor-advisory |
| http://www.openwall.com/lists/oss-security/2025/08/03/3 |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Zeppelin |
Affected:
0.11.1 , < 0.12.0
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-52279",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-05T15:24:44.320475Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-05T15:25:06.848Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-04T21:09:03.247Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/08/03/3"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "org.apache.zeppelin:zeppelin-jdbc",
"product": "Apache Zeppelin",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "0.12.0",
"status": "affected",
"version": "0.11.1",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "H Ming"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eImproper Input Validation vulnerability in Apache Zeppelin. The fix for JDBC URL validation in CVE-2024-31864 did not account for URL encoded input.\u003c/p\u003e\u003cp\u003eThis issue affects Apache Zeppelin: from 0.11.1 before 0.12.0.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 0.12.0, which fixes the issue.\u003c/p\u003e"
}
],
"value": "Improper Input Validation vulnerability in Apache Zeppelin. The fix for JDBC URL validation in CVE-2024-31864 did not account for URL encoded input.\n\nThis issue affects Apache Zeppelin: from 0.11.1 before 0.12.0.\n\nUsers are recommended to upgrade to version 0.12.0, which fixes the issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-03T10:02:05.153Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/apache/zeppelin/pull/4838"
},
{
"tags": [
"issue-tracking"
],
"url": "https://issues.apache.org/jira/browse/ZEPPELIN-6095"
},
{
"tags": [
"issue-tracking"
],
"url": "https://www.cve.org/CVERecord?id=CVE-2024-31864"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/dxb98vgrb21rrl3k0fzonpk66onr6o4q"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache Zeppelin: Arbitrary file read by adding malicious JDBC connection string",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-52279",
"datePublished": "2025-08-03T10:02:05.153Z",
"dateReserved": "2024-11-06T09:19:55.078Z",
"dateUpdated": "2025-11-04T21:09:03.247Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-41169 (GCVE-0-2024-41169)
Vulnerability from cvelistv5 – Published: 2025-07-12 16:22 – Updated: 2025-11-04 21:08
VLAI
Title
Apache Zeppelin: raft directory listing and file read
Summary
The attacker can use the raft server protocol in an unauthenticated way. The attacker can see the server's resources, including directories and files.
This issue affects Apache Zeppelin: from 0.10.1 up to 0.12.0.
Users are recommended to upgrade to version 0.12.0, which fixes the issue by removing the Cluster Interpreter.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-664 - Improper Control of a Resource Through its Lifetime
Assigner
References
4 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Zeppelin |
Affected:
0.10.1 , < 0.12.0
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-41169",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-14T15:41:04.363543Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-14T15:42:07.486Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-04T21:08:42.107Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/07/13/1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "org.apache.zeppelin:zeppelin-server",
"product": "Apache Zeppelin",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "0.12.0",
"status": "affected",
"version": "0.10.1",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "SuperX \u003csuperxyyang@gmail.com\u003e"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe attacker can use the raft server protocol in an unauthenticated way. The attacker can see the server\u0027s resources, including directories and files.\u003c/p\u003e\u003cp\u003eThis issue affects Apache Zeppelin: from 0.10.1 up to 0.12.0.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 0.12.0,\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003ewhich fixes the issue by removing the Cluster Interpreter.\u003c/span\u003e\u003c/p\u003e"
}
],
"value": "The attacker can use the raft server protocol in an unauthenticated way. The attacker can see the server\u0027s resources, including directories and files.\n\nThis issue affects Apache Zeppelin: from 0.10.1 up to 0.12.0.\n\nUsers are recommended to upgrade to version 0.12.0,\u00a0which fixes the issue by removing the Cluster Interpreter."
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-664",
"description": "CWE-664 Improper Control of a Resource Through its Lifetime",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-12T16:22:35.724Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/apache/zeppelin/pull/4841"
},
{
"tags": [
"issue-tracking"
],
"url": "https://issues.apache.org/jira/browse/ZEPPELIN-6101"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/moyym04993c8owh4h0qj98r43tbo8qdd"
}
],
"source": {
"advisory": "ZEPPELIN-6101",
"defect": [
"https://issues.apache.org/jira/browse/ZEPPELIN-6101"
],
"discovery": "UNKNOWN"
},
"title": "Apache Zeppelin: raft directory listing and file read",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-41169",
"datePublished": "2025-07-12T16:22:35.724Z",
"dateReserved": "2024-07-17T08:42:21.067Z",
"dateUpdated": "2025-11-04T21:08:42.107Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-31867 (GCVE-0-2024-31867)
Vulnerability from cvelistv5 – Published: 2024-04-09 16:15 – Updated: 2025-02-13 17:52
VLAI
Title
Apache Zeppelin: LDAP search filter query Injection Vulnerability
Summary
Improper Input Validation vulnerability in Apache Zeppelin.
The attackers can execute malicious queries by setting improper configuration properties to LDAP search filter.
This issue affects Apache Zeppelin: from 0.8.2 before 0.11.1.
Users are recommended to upgrade to version 0.11.1, which fixes the issue.
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-20 - Improper Input Validation
Assigner
References
3 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Zeppelin |
Affected:
0.8.2 , < 0.11.1
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-31867",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-04-10T19:22:49.563785Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-06T20:51:43.890Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:59:49.387Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"patch",
"x_transferred"
],
"url": "https://github.com/apache/zeppelin/pull/4714"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/s4scw8bxdhrjs0kg0lhb68xqd8y9lrtf"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/04/09/12"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "org.apache.zeppelin:zeppelin-server",
"product": "Apache Zeppelin",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "0.11.1",
"status": "affected",
"version": "0.8.2",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Qing Xu"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Input Validation vulnerability in Apache Zeppelin.\u003cbr\u003e\u003cbr\u003eThe attackers can execute malicious queries by setting improper configuration properties to LDAP search filter.\u003cbr\u003e\u003cp\u003eThis issue affects Apache Zeppelin: from 0.8.2 before 0.11.1.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 0.11.1, which fixes the issue.\u003c/p\u003e"
}
],
"value": "Improper Input Validation vulnerability in Apache Zeppelin.\n\nThe attackers can execute malicious queries by setting improper configuration properties to LDAP search filter.\nThis issue affects Apache Zeppelin: from 0.8.2 before 0.11.1.\n\nUsers are recommended to upgrade to version 0.11.1, which fixes the issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-01T18:07:13.058Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/apache/zeppelin/pull/4714"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/s4scw8bxdhrjs0kg0lhb68xqd8y9lrtf"
},
{
"url": "http://www.openwall.com/lists/oss-security/2024/04/09/12"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache Zeppelin: LDAP search filter query Injection Vulnerability",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-31867",
"datePublished": "2024-04-09T16:15:47.978Z",
"dateReserved": "2024-04-06T11:51:11.435Z",
"dateUpdated": "2025-02-13T17:52:00.183Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-31868 (GCVE-0-2024-31868)
Vulnerability from cvelistv5 – Published: 2024-04-09 16:10 – Updated: 2024-11-04 16:12
VLAI
Title
Apache Zeppelin: XSS vulnerability in the helium module
Summary
Improper Encoding or Escaping of Output vulnerability in Apache Zeppelin.
The attackers can modify helium.json and exposure XSS attacks to normal users.
This issue affects Apache Zeppelin: from 0.8.2 before 0.11.1.
Users are recommended to upgrade to version 0.11.1, which fixes the issue.
Severity
6.1 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/apache/zeppelin/pull/4728 | patch |
| https://lists.apache.org/thread/55mqs673plsxmgnq7… | vendor-advisory |
| http://www.openwall.com/lists/oss-security/2024/0… | x_transferred |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Zeppelin |
Affected:
0.8.2 , < 0.11.1
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-31868",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-04-11T17:24:09.912394Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-04T16:12:40.294Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:59:50.569Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"patch",
"x_transferred"
],
"url": "https://github.com/apache/zeppelin/pull/4728"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/55mqs673plsxmgnq7fdf2flftpllyf11"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/04/09/11"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "org.apache.zeppelin:zeppelin-interpreter",
"product": "Apache Zeppelin",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "0.11.1",
"status": "affected",
"version": "0.8.2",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "H Ming"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Encoding or Escaping of Output vulnerability in Apache Zeppelin.\u003cbr\u003e\u003cbr\u003eThe attackers can modify helium.json and exposure XSS attacks to normal users.\u003cbr\u003e\u003cp\u003eThis issue affects Apache Zeppelin: from 0.8.2 before 0.11.1.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 0.11.1, which fixes the issue.\u003c/p\u003e"
}
],
"value": "Improper Encoding or Escaping of Output vulnerability in Apache Zeppelin.\n\nThe attackers can modify helium.json and exposure XSS attacks to normal users.\nThis issue affects Apache Zeppelin: from 0.8.2 before 0.11.1.\n\nUsers are recommended to upgrade to version 0.11.1, which fixes the issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-03T12:35:16.585Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/apache/zeppelin/pull/4728"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/55mqs673plsxmgnq7fdf2flftpllyf11"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache Zeppelin: XSS vulnerability in the helium module",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-31868",
"datePublished": "2024-04-09T16:10:30.671Z",
"dateReserved": "2024-04-06T11:51:21.885Z",
"dateUpdated": "2024-11-04T16:12:40.294Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-31866 (GCVE-0-2024-31866)
Vulnerability from cvelistv5 – Published: 2024-04-09 16:09 – Updated: 2025-02-13 17:51
VLAI
Title
Apache Zeppelin: Interpreter download command does not escape malicious code injection
Summary
Improper Encoding or Escaping of Output vulnerability in Apache Zeppelin.
The attackers can execute shell scripts or malicious code by overriding configuration like ZEPPELIN_INTP_CLASSPATH_OVERRIDES.
This issue affects Apache Zeppelin: from 0.8.2 before 0.11.1.
Users are recommended to upgrade to version 0.11.1, which fixes the issue.
Severity
9.8 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-116 - Improper Encoding or Escaping of Output
Assigner
References
3 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Zeppelin |
Affected:
0.8.2 , < 0.11.1
(semver)
|
|
| apache_software_foundation | apache_zeppelin |
Affected:
0.8.2 , < 0.11.1
(semver)
cpe:2.3:a:apache_software_foundation:apache_zeppelin:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:59:50.665Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"patch",
"x_transferred"
],
"url": "https://github.com/apache/zeppelin/pull/4715"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/jpkbq3oktopt34x2n5wnhzc2r1410ddd"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/04/09/10"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apache_software_foundation:apache_zeppelin:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "apache_zeppelin",
"vendor": "apache_software_foundation",
"versions": [
{
"lessThan": "0.11.1",
"status": "affected",
"version": "0.8.2",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-31866",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-21T13:59:15.091777Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-21T14:33:03.134Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "org.apache.zeppelin:zeppelin-interpreter",
"product": "Apache Zeppelin",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "0.11.1",
"status": "affected",
"version": "0.8.2",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Esa Hiltunen"
},
{
"lang": "en",
"type": "finder",
"value": "https://teragrep.com"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Encoding or Escaping of Output vulnerability in Apache Zeppelin.\u003cbr\u003e\u003cbr\u003eThe attackers can execute shell scripts or malicious code by overriding configuration like\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eZEPPELIN_INTP_CLASSPATH_OVERRIDES.\u003c/span\u003e\u003cbr\u003e\u003cp\u003eThis issue affects Apache Zeppelin: from 0.8.2 before 0.11.1.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 0.11.1, which fixes the issue.\u003c/p\u003e"
}
],
"value": "Improper Encoding or Escaping of Output vulnerability in Apache Zeppelin.\n\nThe attackers can execute shell scripts or malicious code by overriding configuration like\u00a0ZEPPELIN_INTP_CLASSPATH_OVERRIDES.\nThis issue affects Apache Zeppelin: from 0.8.2 before 0.11.1.\n\nUsers are recommended to upgrade to version 0.11.1, which fixes the issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-116",
"description": "CWE-116 Improper Encoding or Escaping of Output",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-01T18:07:49.092Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/apache/zeppelin/pull/4715"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/jpkbq3oktopt34x2n5wnhzc2r1410ddd"
},
{
"url": "http://www.openwall.com/lists/oss-security/2024/04/09/10"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache Zeppelin: Interpreter download command does not escape malicious code injection",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-31866",
"datePublished": "2024-04-09T16:09:12.117Z",
"dateReserved": "2024-04-06T11:51:00.551Z",
"dateUpdated": "2025-02-13T17:51:59.550Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-31865 (GCVE-0-2024-31865)
Vulnerability from cvelistv5 – Published: 2024-04-09 16:07 – Updated: 2025-02-13 17:48
VLAI
Title
Apache Zeppelin: Cron arbitrary user impersonation with improper privileges
Summary
Improper Input Validation vulnerability in Apache Zeppelin.
The attackers can call updating cron API with invalid or improper privileges so that the notebook can run with the privileges.
This issue affects Apache Zeppelin: from 0.8.2 before 0.11.1.
Users are recommended to upgrade to version 0.11.1, which fixes the issue.
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-20 - Improper Input Validation
Assigner
References
3 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Zeppelin |
Affected:
0.8.2 , < 0.11.1
(semver)
|
|
| apache | zeppelin |
Affected:
0.8.2
cpe:2.3:a:apache:zeppelin:0.8.2:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apache:zeppelin:0.8.2:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "zeppelin",
"vendor": "apache",
"versions": [
{
"status": "affected",
"version": "0.8.2"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-31865",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-04-22T18:48:59.403032Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:36:49.248Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:59:49.913Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"patch",
"x_transferred"
],
"url": "https://github.com/apache/zeppelin/pull/4631"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/slm1sf0slwc11f4m4r0nd6ot2rf7w81l"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/04/09/9"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "org.apache.zeppelin:zeppelin-server",
"product": "Apache Zeppelin",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "0.11.1",
"status": "affected",
"version": "0.8.2",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Esa Hiltunen"
},
{
"lang": "en",
"type": "finder",
"value": "https://teragrep.com"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eImproper Input Validation vulnerability in Apache Zeppelin.\u003c/p\u003e\u003cp\u003eThe attackers can call updating cron API with invalid or improper privileges so that the notebook can run with the privileges.\u003c/p\u003e\u003cp\u003eThis issue affects Apache Zeppelin: from 0.8.2 before 0.11.1.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 0.11.1, which fixes the issue.\u003c/p\u003e"
}
],
"value": "Improper Input Validation vulnerability in Apache Zeppelin.\n\nThe attackers can call updating cron API with invalid or improper privileges so that the notebook can run with the privileges.\n\nThis issue affects Apache Zeppelin: from 0.8.2 before 0.11.1.\n\nUsers are recommended to upgrade to version 0.11.1, which fixes the issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-01T18:11:41.213Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/apache/zeppelin/pull/4631"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/slm1sf0slwc11f4m4r0nd6ot2rf7w81l"
},
{
"url": "http://www.openwall.com/lists/oss-security/2024/04/09/9"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache Zeppelin: Cron arbitrary user impersonation with improper privileges",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-31865",
"datePublished": "2024-04-09T16:07:36.358Z",
"dateReserved": "2024-04-06T11:50:47.384Z",
"dateUpdated": "2025-02-13T17:48:06.867Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-31864 (GCVE-0-2024-31864)
Vulnerability from cvelistv5 – Published: 2024-04-09 16:05 – Updated: 2025-11-04 21:08
VLAI
Title
Apache Zeppelin: Remote code execution by adding malicious JDBC connection string
Summary
Improper Control of Generation of Code ('Code Injection') vulnerability in Apache Zeppelin.
The attacker can inject sensitive configuration or malicious code when connecting MySQL database via JDBC driver.
This issue affects Apache Zeppelin: before 0.11.1.
Users are recommended to upgrade to version 0.11.1, which fixes the issue.
Severity
9.8 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-94 - Improper Control of Generation of Code ('Code Injection')
Assigner
References
5 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Zeppelin |
Affected:
0 , < 0.11.1
(semver)
|
|
| apache | zeppelin |
Affected:
0 , < 0.11.1
(semver)
cpe:2.3:a:apache:zeppelin:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apache:zeppelin:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "zeppelin",
"vendor": "apache",
"versions": [
{
"lessThan": "0.11.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-31864",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-31T21:01:13.020171Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-31T21:03:11.993Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-04T21:08:35.546Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"patch",
"x_transferred"
],
"url": "https://github.com/apache/zeppelin/pull/4709"
},
{
"tags": [
"related",
"x_transferred"
],
"url": "https://www.cve.org/CVERecord?id=CVE-2020-11974"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/752qdk0rnkd9nqtornz734zwb7xdwcdb"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/04/09/8"
},
{
"url": "http://www.openwall.com/lists/oss-security/2025/08/03/3"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"product": "Apache Zeppelin",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "0.11.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "rg"
},
{
"lang": "en",
"type": "finder",
"value": "Nbxiglk"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Control of Generation of Code (\u0027Code Injection\u0027) vulnerability in Apache Zeppelin.\u003cbr\u003e\u003cbr\u003eThe attacker can inject sensitive configuration or malicious code when connecting MySQL database via JDBC driver.\u003cbr\u003e\u003cp\u003eThis issue affects Apache Zeppelin: before 0.11.1.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 0.11.1, which fixes the issue.\u003c/p\u003e"
}
],
"value": "Improper Control of Generation of Code (\u0027Code Injection\u0027) vulnerability in Apache Zeppelin.\n\nThe attacker can inject sensitive configuration or malicious code when connecting MySQL database via JDBC driver.\nThis issue affects Apache Zeppelin: before 0.11.1.\n\nUsers are recommended to upgrade to version 0.11.1, which fixes the issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-01T18:11:46.568Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/apache/zeppelin/pull/4709"
},
{
"tags": [
"related"
],
"url": "https://www.cve.org/CVERecord?id=CVE-2020-11974"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/752qdk0rnkd9nqtornz734zwb7xdwcdb"
},
{
"url": "http://www.openwall.com/lists/oss-security/2024/04/09/8"
}
],
"source": {
"defect": [
"ZEPPELIN-5990"
],
"discovery": "UNKNOWN"
},
"title": "Apache Zeppelin: Remote code execution by adding malicious JDBC connection string",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-31864",
"datePublished": "2024-04-09T16:05:32.690Z",
"dateReserved": "2024-04-06T11:50:37.125Z",
"dateUpdated": "2025-11-04T21:08:35.546Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-31863 (GCVE-0-2024-31863)
Vulnerability from cvelistv5 – Published: 2024-04-09 10:25 – Updated: 2025-03-25 18:21
VLAI
Title
Apache Zeppelin: Replacing other users notebook, bypassing any permissions
Summary
Authentication Bypass by Spoofing vulnerability by replacing to exsiting notes in Apache Zeppelin.This issue affects Apache Zeppelin: from 0.10.1 before 0.11.0.
Users are recommended to upgrade to version 0.11.0, which fixes the issue.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-290 - Authentication Bypass by Spoofing
Assigner
References
2 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Zeppelin |
Affected:
0.10.1 , < 0.11.0
(semver)
|
|
| apache | zeppelin |
Affected:
0.10.1 , < 0.11.0
(custom)
cpe:2.3:a:apache:zeppelin:0.10.1:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apache:zeppelin:0.10.1:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "zeppelin",
"vendor": "apache",
"versions": [
{
"lessThan": "0.11.0",
"status": "affected",
"version": "0.10.1",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-31863",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-25T18:20:37.629974Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-25T18:21:05.668Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:59:50.072Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/3od2gfpwllmtc9c5ggw04ohn8s7w3ct9"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/04/09/6"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "org.apache.zeppelin:zeppelin-server",
"product": "Apache Zeppelin",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "0.11.0",
"status": "affected",
"version": "0.10.1",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Esa Hiltunen"
},
{
"lang": "en",
"type": "finder",
"value": "https://teragrep.com"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Authentication Bypass by Spoofing vulnerability by replacing to exsiting notes in Apache Zeppelin.\u003cp\u003eThis issue affects Apache Zeppelin: from 0.10.1 before 0.11.0.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 0.11.0, which fixes the issue.\u003c/p\u003e"
}
],
"value": "Authentication Bypass by Spoofing vulnerability by replacing to exsiting notes in Apache Zeppelin.This issue affects Apache Zeppelin: from 0.10.1 before 0.11.0.\n\nUsers are recommended to upgrade to version 0.11.0, which fixes the issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-290",
"description": "CWE-290 Authentication Bypass by Spoofing",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-01T18:11:32.685Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/3od2gfpwllmtc9c5ggw04ohn8s7w3ct9"
},
{
"url": "http://www.openwall.com/lists/oss-security/2024/04/09/6"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache Zeppelin: Replacing other users notebook, bypassing any permissions",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-31863",
"datePublished": "2024-04-09T10:25:29.449Z",
"dateReserved": "2024-04-06T11:50:24.687Z",
"dateUpdated": "2025-03-25T18:21:05.668Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-31862 (GCVE-0-2024-31862)
Vulnerability from cvelistv5 – Published: 2024-04-09 09:40 – Updated: 2025-02-13 17:48
VLAI
Title
Apache Zeppelin: Denial of service with invalid notebook name
Summary
Improper Input Validation vulnerability in Apache Zeppelin when creating a new note from Zeppelin's UI.This issue affects Apache Zeppelin: from 0.10.1 before 0.11.0.
Users are recommended to upgrade to version 0.11.0, which fixes the issue.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-20 - Improper Input Validation
Assigner
References
3 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Zeppelin |
Affected:
0.10.1 , < 0.11.0
(semver)
|
|
| apache | zeppelin |
Affected:
0.10.1 , < 0.11.0
(semver)
cpe:2.3:a:apache:zeppelin:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:59:49.405Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"patch",
"x_transferred"
],
"url": "https://github.com/apache/zeppelin/pull/4632"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/73xdjx43yg4yz8bd4p3o8vzyybkysmn0"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/04/09/5"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apache:zeppelin:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "zeppelin",
"vendor": "apache",
"versions": [
{
"lessThan": "0.11.0",
"status": "affected",
"version": "0.10.1",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-31862",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-21T14:23:58.003132Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-21T14:30:40.495Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "org.apache.zeppelin:zeppelin-server",
"product": "Apache Zeppelin",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "0.11.0",
"status": "affected",
"version": "0.10.1",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Esa Hiltunen"
},
{
"lang": "en",
"type": "finder",
"value": "https://teragrep.com"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Input Validation vulnerability in Apache Zeppelin when creating a new note from Zeppelin\u0027s UI.\u003cp\u003eThis issue affects Apache Zeppelin: from 0.10.1 before 0.11.0.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 0.11.0, which fixes the issue.\u003c/p\u003e"
}
],
"value": "Improper Input Validation vulnerability in Apache Zeppelin when creating a new note from Zeppelin\u0027s UI.This issue affects Apache Zeppelin: from 0.10.1 before 0.11.0.\n\nUsers are recommended to upgrade to version 0.11.0, which fixes the issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-01T19:07:45.971Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/apache/zeppelin/pull/4632"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/73xdjx43yg4yz8bd4p3o8vzyybkysmn0"
},
{
"url": "http://www.openwall.com/lists/oss-security/2024/04/09/5"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache Zeppelin: Denial of service with invalid notebook name",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-31862",
"datePublished": "2024-04-09T09:40:39.495Z",
"dateReserved": "2024-04-06T11:50:12.789Z",
"dateUpdated": "2025-02-13T17:48:04.941Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-28656 (GCVE-0-2021-28656)
Vulnerability from cvelistv5 – Published: 2024-04-09 09:12 – Updated: 2025-02-13 16:27
VLAI
Title
Apache Zeppelin: CSRF vulnerability in the Credentials page
Summary
Cross-Site Request Forgery (CSRF) vulnerability in Credential page of Apache Zeppelin allows an attacker to submit malicious request. This issue affects Apache Zeppelin Apache Zeppelin version 0.9.0 and prior versions.
Severity
5.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
2 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Zeppelin |
Affected:
0 , ≤ 0.9.0
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2021-28656",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-04-10T18:54:51.213129Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-01T15:40:01.147Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-03T21:47:32.969Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/dttzkkv4qyn1rq2fdv1r94otb1osxztc"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/04/09/3"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache Zeppelin",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "0.9.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jiang Qingzhi"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Cross-Site Request Forgery (CSRF) vulnerability in Credential page of Apache Zeppelin allows an attacker to submit malicious request. This issue affects Apache Zeppelin Apache Zeppelin version 0.9.0 and prior versions."
}
],
"value": "Cross-Site Request Forgery (CSRF) vulnerability in Credential page of Apache Zeppelin allows an attacker to submit malicious request. This issue affects Apache Zeppelin Apache Zeppelin version 0.9.0 and prior versions."
}
],
"metrics": [
{
"other": {
"content": {
"text": "low"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-01T17:08:57.522Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/dttzkkv4qyn1rq2fdv1r94otb1osxztc"
},
{
"url": "http://www.openwall.com/lists/oss-security/2024/04/09/3"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache Zeppelin: CSRF vulnerability in the Credentials page",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2021-28656",
"datePublished": "2024-04-09T09:12:58.493Z",
"dateReserved": "2021-03-17T08:27:58.338Z",
"dateUpdated": "2025-02-13T16:27:59.379Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-31860 (GCVE-0-2024-31860)
Vulnerability from cvelistv5 – Published: 2024-04-09 09:08 – Updated: 2025-05-06 13:12
VLAI
Title
Apache Zeppelin: Path traversal vulnerability
Summary
Improper Input Validation vulnerability in Apache Zeppelin.
By adding relative path indicators(E.g ..), attackers can see the contents for any files in the filesystem that the server account can access.
This issue affects Apache Zeppelin: from 0.9.0 before 0.11.0.
Users are recommended to upgrade to version 0.11.0, which fixes the issue.
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/apache/zeppelin/pull/4632 | patch |
| https://lists.apache.org/thread/c0zfjnow3oc3dzc8w… | vendor-advisory |
| http://www.openwall.com/lists/oss-security/2024/04/09/2 | x_transferred |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Zeppelin |
Affected:
0.9.0 , < 0.11.0
(semver)
|
|
| apache | zeppelin |
Affected:
0.9.0
cpe:2.3:a:apache:zeppelin:0.9.0:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apache:zeppelin:0.9.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "zeppelin",
"vendor": "apache",
"versions": [
{
"status": "affected",
"version": "0.9.0"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-31860",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-04-22T18:40:26.643857Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:36:17.512Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:59:49.933Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"patch",
"x_transferred"
],
"url": "https://github.com/apache/zeppelin/pull/4632"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/c0zfjnow3oc3dzc8w5rbkzj8lqj5jm5x"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/04/09/2"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "org.apache.zeppelin:zeppelin-server",
"product": "Apache Zeppelin",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "0.11.0",
"status": "affected",
"version": "0.9.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Kai Zhao"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Input Validation vulnerability in Apache Zeppelin.\u003cbr\u003e\u003cbr\u003eBy adding relative path indicators(E.g ..), attackers can see the contents for any files in the filesystem that the server account can access.\u0026nbsp;\u003cbr\u003e\u003cp\u003eThis issue affects Apache Zeppelin: from 0.9.0 before 0.11.0.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 0.11.0, which fixes the issue.\u003c/p\u003e"
}
],
"value": "Improper Input Validation vulnerability in Apache Zeppelin.\n\nBy adding relative path indicators(E.g ..), attackers can see the contents for any files in the filesystem that the server account can access.\u00a0\nThis issue affects Apache Zeppelin: from 0.9.0 before 0.11.0.\n\nUsers are recommended to upgrade to version 0.11.0, which fixes the issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "low"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-06T13:12:31.467Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/apache/zeppelin/pull/4632"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/c0zfjnow3oc3dzc8w5rbkzj8lqj5jm5x"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache Zeppelin: Path traversal vulnerability",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-31860",
"datePublished": "2024-04-09T09:08:28.802Z",
"dateReserved": "2024-04-06T11:49:32.612Z",
"dateUpdated": "2025-05-06T13:12:31.467Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-46870 (GCVE-0-2022-46870)
Vulnerability from cvelistv5 – Published: 2022-12-16 12:55 – Updated: 2025-04-17 15:36
VLAI
Title
Apache Zeppelin: Stored XSS in note permissions
Summary
An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache Zeppelin allows logged-in users to execute arbitrary javascript in other users' browsers.
This issue affects Apache Zeppelin before 0.8.2. Users are recommended to upgrade to a supported version of Zeppelin.
Severity
5.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://lists.apache.org/thread/gb1wdnrm1095xw6qz… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Zeppelin |
Affected:
0 , < 0.8.2
(maven)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T14:39:39.095Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/gb1wdnrm1095xw6qznpsycfrht4lwbwc"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-46870",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-17T15:36:02.123744Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-17T15:36:28.153Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache Zeppelin",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "0.8.2",
"status": "affected",
"version": "0",
"versionType": "maven"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in Apache Zeppelin allows logged-in users to execute arbitrary javascript in other users\u0027 browsers.\u003cbr\u003e\u003cp\u003eThis issue affects Apache Zeppelin before 0.8.2. Users are recommended to upgrade to a supported version of Zeppelin.\u003cbr\u003e\u003c/p\u003e"
}
],
"value": "An Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in Apache Zeppelin allows logged-in users to execute arbitrary javascript in other users\u0027 browsers.\nThis issue affects Apache Zeppelin before 0.8.2. Users are recommended to upgrade to a supported version of Zeppelin.\n\n\n"
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-12-16T12:55:37.597Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/gb1wdnrm1095xw6qznpsycfrht4lwbwc"
}
],
"source": {
"defect": [
"ZEPPELIN-4333"
],
"discovery": "UNKNOWN"
},
"title": "Apache Zeppelin: Stored XSS in note permissions",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2022-46870",
"datePublished": "2022-12-16T12:55:37.597Z",
"dateReserved": "2022-12-09T14:04:31.289Z",
"dateUpdated": "2025-04-17T15:36:28.153Z",
"requesterUserId": "cf81350d-439c-4450-9d42-0a054bb6b6c9",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-28655 (GCVE-0-2021-28655)
Vulnerability from cvelistv5 – Published: 2022-12-16 12:51 – Updated: 2025-04-17 15:37
VLAI
Title
Apache Zeppelin: Arbitrary file deletion vulnerability
Summary
The improper Input Validation vulnerability in "”Move folder to Trash” feature of Apache Zeppelin allows an attacker to delete the arbitrary files. This issue affects Apache Zeppelin Apache Zeppelin version 0.9.0 and prior versions.
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-20 - Improper Input Validation
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://lists.apache.org/thread/bxs056g3xlsofz0jb… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Zeppelin |
Affected:
0 , ≤ 0.9.0
(custom)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T21:47:33.056Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/bxs056g3xlsofz0jb3wny9dw4llwptd2"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2021-28655",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-17T15:36:47.959954Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-17T15:37:14.575Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache Zeppelin",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "0.9.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Kai Zhao"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The improper Input Validation vulnerability in \"\u201dMove folder to Trash\u201d feature of Apache Zeppelin allows an attacker to delete the arbitrary files. This issue affects Apache Zeppelin Apache Zeppelin version 0.9.0 and prior versions."
}
],
"value": "The improper Input Validation vulnerability in \"\u201dMove folder to Trash\u201d feature of Apache Zeppelin allows an attacker to delete the arbitrary files. This issue affects Apache Zeppelin Apache Zeppelin version 0.9.0 and prior versions."
}
],
"metrics": [
{
"other": {
"content": {
"text": "important"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-12-19T12:55:19.145Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/bxs056g3xlsofz0jb3wny9dw4llwptd2"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache Zeppelin: Arbitrary file deletion vulnerability",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2021-28655",
"datePublished": "2022-12-16T12:51:51.927Z",
"dateReserved": "2021-03-17T08:27:06.184Z",
"dateUpdated": "2025-04-17T15:37:14.575Z",
"requesterUserId": "01d7ebfd-4418-401d-b8e4-f5ae3da29160",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}