Search
Find a vulnerability
Search criteria
2 vulnerabilities found for Apache Zeppelin SAP by Apache Software Foundation
CVE-2022-47894 (GCVE-0-2022-47894)
Vulnerability from nvd – Published: 2024-04-09 09:29 – Updated: 2025-02-13 16:34 Unsupported When Assigned
VLAI
Title
Apache Zeppelin SAP: connecting to a malicious SAP server allowed it to perform XXE
Summary
Improper Input Validation vulnerability in Apache Zeppelin SAP.This issue affects Apache Zeppelin SAP: from 0.8.0 before 0.11.0.
As this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users.
For more information, the fix already was merged in the source code but Zeppelin decided to retire the SAP component
NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-20 - Improper Input Validation
Assigner
References
3 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Zeppelin SAP |
Affected:
0.8.0 , < 0.11.0
(semver)
|
|
| apache | zeppelin |
Affected:
0.8.0 , < 0.11.0
(semver)
cpe:2.3:a:apache:zeppelin:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T15:02:36.523Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"patch",
"x_transferred"
],
"url": "https://github.com/apache/zeppelin/pull/4302"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/csf4k73kkn3nx58pm0p2qrylbox4fvyy"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/04/09/4"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apache:zeppelin:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "zeppelin",
"vendor": "apache",
"versions": [
{
"lessThan": "0.11.0",
"status": "affected",
"version": "0.8.0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-47894",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-27T20:43:16.714571Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-29T20:27:46.458Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "org.apache.zeppelin:sap",
"product": "Apache Zeppelin SAP",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "0.11.0",
"status": "affected",
"version": "0.8.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "kuiplatain@knownsec 404 Team"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Input Validation vulnerability in Apache Zeppelin SAP.\u003cp\u003eThis issue affects Apache Zeppelin SAP: from 0.8.0 before 0.11.0.\u003c/p\u003eAs this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users.\u003cbr\u003e\u003cbr\u003eFor more information, the fix already was merged in the source code but Zeppelin decided to retire the SAP component\u003cbr\u003e\u003cp\u003eNOTE: This vulnerability only affects products that are no longer supported by the maintainer.\u003c/p\u003e"
}
],
"value": "Improper Input Validation vulnerability in Apache Zeppelin SAP.This issue affects Apache Zeppelin SAP: from 0.8.0 before 0.11.0.\n\nAs this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users.\n\nFor more information, the fix already was merged in the source code but Zeppelin decided to retire the SAP component\nNOTE: This vulnerability only affects products that are no longer supported by the maintainer."
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-01T17:13:26.541Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/apache/zeppelin/pull/4302"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/csf4k73kkn3nx58pm0p2qrylbox4fvyy"
},
{
"url": "http://www.openwall.com/lists/oss-security/2024/04/09/4"
}
],
"source": {
"defect": [
"ZEPPELIN-5665"
],
"discovery": "UNKNOWN"
},
"tags": [
"unsupported-when-assigned"
],
"title": "Apache Zeppelin SAP: connecting to a malicious SAP server allowed it to perform XXE",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2022-47894",
"datePublished": "2024-04-09T09:29:17.806Z",
"dateReserved": "2022-12-21T15:34:42.006Z",
"dateUpdated": "2025-02-13T16:34:01.816Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-47894 (GCVE-0-2022-47894)
Vulnerability from cvelistv5 – Published: 2024-04-09 09:29 – Updated: 2025-02-13 16:34 Unsupported When Assigned
VLAI
Title
Apache Zeppelin SAP: connecting to a malicious SAP server allowed it to perform XXE
Summary
Improper Input Validation vulnerability in Apache Zeppelin SAP.This issue affects Apache Zeppelin SAP: from 0.8.0 before 0.11.0.
As this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users.
For more information, the fix already was merged in the source code but Zeppelin decided to retire the SAP component
NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-20 - Improper Input Validation
Assigner
References
3 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Zeppelin SAP |
Affected:
0.8.0 , < 0.11.0
(semver)
|
|
| apache | zeppelin |
Affected:
0.8.0 , < 0.11.0
(semver)
cpe:2.3:a:apache:zeppelin:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T15:02:36.523Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"patch",
"x_transferred"
],
"url": "https://github.com/apache/zeppelin/pull/4302"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/csf4k73kkn3nx58pm0p2qrylbox4fvyy"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/04/09/4"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apache:zeppelin:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "zeppelin",
"vendor": "apache",
"versions": [
{
"lessThan": "0.11.0",
"status": "affected",
"version": "0.8.0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-47894",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-27T20:43:16.714571Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-29T20:27:46.458Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "org.apache.zeppelin:sap",
"product": "Apache Zeppelin SAP",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "0.11.0",
"status": "affected",
"version": "0.8.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "kuiplatain@knownsec 404 Team"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Input Validation vulnerability in Apache Zeppelin SAP.\u003cp\u003eThis issue affects Apache Zeppelin SAP: from 0.8.0 before 0.11.0.\u003c/p\u003eAs this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users.\u003cbr\u003e\u003cbr\u003eFor more information, the fix already was merged in the source code but Zeppelin decided to retire the SAP component\u003cbr\u003e\u003cp\u003eNOTE: This vulnerability only affects products that are no longer supported by the maintainer.\u003c/p\u003e"
}
],
"value": "Improper Input Validation vulnerability in Apache Zeppelin SAP.This issue affects Apache Zeppelin SAP: from 0.8.0 before 0.11.0.\n\nAs this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users.\n\nFor more information, the fix already was merged in the source code but Zeppelin decided to retire the SAP component\nNOTE: This vulnerability only affects products that are no longer supported by the maintainer."
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-01T17:13:26.541Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/apache/zeppelin/pull/4302"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/csf4k73kkn3nx58pm0p2qrylbox4fvyy"
},
{
"url": "http://www.openwall.com/lists/oss-security/2024/04/09/4"
}
],
"source": {
"defect": [
"ZEPPELIN-5665"
],
"discovery": "UNKNOWN"
},
"tags": [
"unsupported-when-assigned"
],
"title": "Apache Zeppelin SAP: connecting to a malicious SAP server allowed it to perform XXE",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2022-47894",
"datePublished": "2024-04-09T09:29:17.806Z",
"dateReserved": "2022-12-21T15:34:42.006Z",
"dateUpdated": "2025-02-13T16:34:01.816Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}