Vulnerabilites related to Apache Software Foundation - Apache Zeppelin
CVE-2024-31866 (GCVE-0-2024-31866)
Vulnerability from cvelistv5
Published
2024-04-09 16:09
Modified
2025-02-13 17:51
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-116 - Improper Encoding or Escaping of Output
Summary
Improper Encoding or Escaping of Output vulnerability in Apache Zeppelin.
The attackers can execute shell scripts or malicious code by overriding configuration like ZEPPELIN_INTP_CLASSPATH_OVERRIDES.
This issue affects Apache Zeppelin: from 0.8.2 before 0.11.1.
Users are recommended to upgrade to version 0.11.1, which fixes the issue.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Zeppelin |
Version: 0.8.2 ≤ |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:59:50.665Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"patch",
"x_transferred"
],
"url": "https://github.com/apache/zeppelin/pull/4715"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/jpkbq3oktopt34x2n5wnhzc2r1410ddd"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/04/09/10"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apache_software_foundation:apache_zeppelin:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "apache_zeppelin",
"vendor": "apache_software_foundation",
"versions": [
{
"lessThan": "0.11.1",
"status": "affected",
"version": "0.8.2",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-31866",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-21T13:59:15.091777Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-21T14:33:03.134Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "org.apache.zeppelin:zeppelin-interpreter",
"product": "Apache Zeppelin",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "0.11.1",
"status": "affected",
"version": "0.8.2",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Esa Hiltunen"
},
{
"lang": "en",
"type": "finder",
"value": "https://teragrep.com"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Encoding or Escaping of Output vulnerability in Apache Zeppelin.\u003cbr\u003e\u003cbr\u003eThe attackers can execute shell scripts or malicious code by overriding configuration like\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eZEPPELIN_INTP_CLASSPATH_OVERRIDES.\u003c/span\u003e\u003cbr\u003e\u003cp\u003eThis issue affects Apache Zeppelin: from 0.8.2 before 0.11.1.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 0.11.1, which fixes the issue.\u003c/p\u003e"
}
],
"value": "Improper Encoding or Escaping of Output vulnerability in Apache Zeppelin.\n\nThe attackers can execute shell scripts or malicious code by overriding configuration like\u00a0ZEPPELIN_INTP_CLASSPATH_OVERRIDES.\nThis issue affects Apache Zeppelin: from 0.8.2 before 0.11.1.\n\nUsers are recommended to upgrade to version 0.11.1, which fixes the issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-116",
"description": "CWE-116 Improper Encoding or Escaping of Output",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-01T18:07:49.092Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/apache/zeppelin/pull/4715"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/jpkbq3oktopt34x2n5wnhzc2r1410ddd"
},
{
"url": "http://www.openwall.com/lists/oss-security/2024/04/09/10"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache Zeppelin: Interpreter download command does not escape malicious code injection",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-31866",
"datePublished": "2024-04-09T16:09:12.117Z",
"dateReserved": "2024-04-06T11:51:00.551Z",
"dateUpdated": "2025-02-13T17:51:59.550Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-41177 (GCVE-0-2024-41177)
Vulnerability from cvelistv5
Published
2025-08-03 10:09
Modified
2025-08-04 13:21
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
Incomplete Blacklist to Cross-Site Scripting vulnerability in Apache Zeppelin.
This issue affects Apache Zeppelin: before 0.12.0.
Users are recommended to upgrade to version 0.12.0, which fixes the issue.
References
| ► | URL | Tags |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Zeppelin |
Version: 0 ≤ |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-41177",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-04T13:20:16.874641Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-04T13:21:36.476Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "org.apache.zeppelin:zeppelin-web",
"product": "Apache Zeppelin",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "0.12.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "H Ming"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIncomplete Blacklist to Cross-Site Scripting vulnerability in Apache Zeppelin.\u003c/p\u003e\u003cp\u003eThis issue affects Apache Zeppelin: before 0.12.0.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 0.12.0, which fixes the issue.\u003c/p\u003e"
}
],
"value": "Incomplete Blacklist to Cross-Site Scripting vulnerability in Apache Zeppelin.\n\nThis issue affects Apache Zeppelin: before 0.12.0.\n\nUsers are recommended to upgrade to version 0.12.0, which fixes the issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-03T10:09:43.302Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/apache/zeppelin/pull/4755"
},
{
"tags": [
"patch"
],
"url": "https://github.com/apache/zeppelin/pull/4795"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/nwh8vh9f3pnvt04n8z4g2kbddh62blr6"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache Zeppelin: XSS in the Helium module",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-41177",
"datePublished": "2025-08-03T10:09:43.302Z",
"dateReserved": "2024-07-17T14:51:36.965Z",
"dateUpdated": "2025-08-04T13:21:36.476Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-31865 (GCVE-0-2024-31865)
Vulnerability from cvelistv5
Published
2024-04-09 16:07
Modified
2025-02-13 17:48
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-20 - Improper Input Validation
Summary
Improper Input Validation vulnerability in Apache Zeppelin.
The attackers can call updating cron API with invalid or improper privileges so that the notebook can run with the privileges.
This issue affects Apache Zeppelin: from 0.8.2 before 0.11.1.
Users are recommended to upgrade to version 0.11.1, which fixes the issue.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Zeppelin |
Version: 0.8.2 ≤ |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apache:zeppelin:0.8.2:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "zeppelin",
"vendor": "apache",
"versions": [
{
"status": "affected",
"version": "0.8.2"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-31865",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-04-22T18:48:59.403032Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:36:49.248Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:59:49.913Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"patch",
"x_transferred"
],
"url": "https://github.com/apache/zeppelin/pull/4631"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/slm1sf0slwc11f4m4r0nd6ot2rf7w81l"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/04/09/9"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "org.apache.zeppelin:zeppelin-server",
"product": "Apache Zeppelin",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "0.11.1",
"status": "affected",
"version": "0.8.2",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Esa Hiltunen"
},
{
"lang": "en",
"type": "finder",
"value": "https://teragrep.com"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eImproper Input Validation vulnerability in Apache Zeppelin.\u003c/p\u003e\u003cp\u003eThe attackers can call updating cron API with invalid or improper privileges so that the notebook can run with the privileges.\u003c/p\u003e\u003cp\u003eThis issue affects Apache Zeppelin: from 0.8.2 before 0.11.1.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 0.11.1, which fixes the issue.\u003c/p\u003e"
}
],
"value": "Improper Input Validation vulnerability in Apache Zeppelin.\n\nThe attackers can call updating cron API with invalid or improper privileges so that the notebook can run with the privileges.\n\nThis issue affects Apache Zeppelin: from 0.8.2 before 0.11.1.\n\nUsers are recommended to upgrade to version 0.11.1, which fixes the issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-01T18:11:41.213Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/apache/zeppelin/pull/4631"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/slm1sf0slwc11f4m4r0nd6ot2rf7w81l"
},
{
"url": "http://www.openwall.com/lists/oss-security/2024/04/09/9"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache Zeppelin: Cron arbitrary user impersonation with improper privileges",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-31865",
"datePublished": "2024-04-09T16:07:36.358Z",
"dateReserved": "2024-04-06T11:50:47.384Z",
"dateUpdated": "2025-02-13T17:48:06.867Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-28655 (GCVE-0-2021-28655)
Vulnerability from cvelistv5
Published
2022-12-16 12:51
Modified
2025-04-17 15:37
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-20 - Improper Input Validation
Summary
The improper Input Validation vulnerability in "”Move folder to Trash” feature of Apache Zeppelin allows an attacker to delete the arbitrary files. This issue affects Apache Zeppelin Apache Zeppelin version 0.9.0 and prior versions.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Zeppelin |
Version: 0 < |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T21:47:33.056Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/bxs056g3xlsofz0jb3wny9dw4llwptd2"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2021-28655",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-17T15:36:47.959954Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-17T15:37:14.575Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache Zeppelin",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "0.9.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Kai Zhao"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The improper Input Validation vulnerability in \"\u201dMove folder to Trash\u201d feature of Apache Zeppelin allows an attacker to delete the arbitrary files. This issue affects Apache Zeppelin Apache Zeppelin version 0.9.0 and prior versions."
}
],
"value": "The improper Input Validation vulnerability in \"\u201dMove folder to Trash\u201d feature of Apache Zeppelin allows an attacker to delete the arbitrary files. This issue affects Apache Zeppelin Apache Zeppelin version 0.9.0 and prior versions."
}
],
"metrics": [
{
"other": {
"content": {
"text": "important"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-12-19T12:55:19.145Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/bxs056g3xlsofz0jb3wny9dw4llwptd2"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache Zeppelin: Arbitrary file deletion vulnerability",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2021-28655",
"datePublished": "2022-12-16T12:51:51.927Z",
"dateReserved": "2021-03-17T08:27:06.184Z",
"dateUpdated": "2025-04-17T15:37:14.575Z",
"requesterUserId": "01d7ebfd-4418-401d-b8e4-f5ae3da29160",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-1328 (GCVE-0-2018-1328)
Vulnerability from cvelistv5
Published
2019-04-23 14:45
Modified
2024-08-05 03:59
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Stored XSS
Summary
Apache Zeppelin prior to 0.8.0 had a stored XSS issue via Note permissions. Issue reported by "Josna Joseph".
References
| ► | URL | Tags | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Zeppelin |
Version: prior to 0.8.0 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T03:59:38.883Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[zeppelin-users] 20190423 Issues fixed in previous releases of Apache Zeppelin 0.7.3 and 0.8.0 (CVE-2017-12619 CVE-2018-1317 CVE-2018-1328)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/ff6b995a5a3ba8db4d6b14b4d9dd487e7bf2e3bdd5b375b64a25fd06%40%3Cusers.zeppelin.apache.org%3E"
},
{
"name": "[oss-security] 20190423 Issues fixed in previous releases of Apache Zeppelin 0.7.3 and 0.8.0 (CVE-2017-12619 CVE-2018-1317 CVE-2018-1328)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2019/04/23/1"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://zeppelin.apache.org/releases/zeppelin-release-0.8.0.html"
},
{
"name": "108047",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/108047"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Zeppelin",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "prior to 0.8.0"
}
]
}
],
"datePublic": "2019-04-23T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Apache Zeppelin prior to 0.8.0 had a stored XSS issue via Note permissions. Issue reported by \"Josna Joseph\"."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Stored XSS",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-04-24T10:05:59",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"name": "[zeppelin-users] 20190423 Issues fixed in previous releases of Apache Zeppelin 0.7.3 and 0.8.0 (CVE-2017-12619 CVE-2018-1317 CVE-2018-1328)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/ff6b995a5a3ba8db4d6b14b4d9dd487e7bf2e3bdd5b375b64a25fd06%40%3Cusers.zeppelin.apache.org%3E"
},
{
"name": "[oss-security] 20190423 Issues fixed in previous releases of Apache Zeppelin 0.7.3 and 0.8.0 (CVE-2017-12619 CVE-2018-1317 CVE-2018-1328)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2019/04/23/1"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://zeppelin.apache.org/releases/zeppelin-release-0.8.0.html"
},
{
"name": "108047",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/108047"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2018-1328",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Zeppelin",
"version": {
"version_data": [
{
"version_value": "prior to 0.8.0"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Apache Zeppelin prior to 0.8.0 had a stored XSS issue via Note permissions. Issue reported by \"Josna Joseph\"."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Stored XSS"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[zeppelin-users] 20190423 Issues fixed in previous releases of Apache Zeppelin 0.7.3 and 0.8.0 (CVE-2017-12619 CVE-2018-1317 CVE-2018-1328)",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/ff6b995a5a3ba8db4d6b14b4d9dd487e7bf2e3bdd5b375b64a25fd06@%3Cusers.zeppelin.apache.org%3E"
},
{
"name": "[oss-security] 20190423 Issues fixed in previous releases of Apache Zeppelin 0.7.3 and 0.8.0 (CVE-2017-12619 CVE-2018-1317 CVE-2018-1328)",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2019/04/23/1"
},
{
"name": "https://zeppelin.apache.org/releases/zeppelin-release-0.8.0.html",
"refsource": "MISC",
"url": "https://zeppelin.apache.org/releases/zeppelin-release-0.8.0.html"
},
{
"name": "108047",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/108047"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2018-1328",
"datePublished": "2019-04-23T14:45:24",
"dateReserved": "2017-12-07T00:00:00",
"dateUpdated": "2024-08-05T03:59:38.883Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-27578 (GCVE-0-2021-27578)
Vulnerability from cvelistv5
Published
2021-09-02 00:00
Modified
2024-08-03 21:26
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Cross Site Scripting
Summary
Cross Site Scripting vulnerability in markdown interpreter of Apache Zeppelin allows an attacker to inject malicious scripts. This issue affects Apache Zeppelin Apache Zeppelin versions prior to 0.9.0.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Zeppelin |
Version: Apache Zeppelin < 0.9.0 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T21:26:09.867Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r90590aa5ea788128ecc2e822e1e64d5200b4cb92b06707b38da4cb3d%40%3Cusers.zeppelin.apache.org%3E"
},
{
"name": "[zeppelin-users] 20210902 CVE-2021-27578: Apache Zeppelin: Cross Site Scripting in markdown interpreter",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r90590aa5ea788128ecc2e822e1e64d5200b4cb92b06707b38da4cb3d%40%3Cusers.zeppelin.apache.org%3E"
},
{
"name": "[oss-security] 20210902 CVE-2021-27578: Apache Zeppelin: Cross Site Scripting in markdown interpreter",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2021/09/02/3"
},
{
"name": "[announce] 20210902 CVE-2021-27578: Apache Zeppelin: Cross Site Scripting in markdown interpreter",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r90590aa5ea788128ecc2e822e1e64d5200b4cb92b06707b38da4cb3d%40%3Cannounce.apache.org%3E"
},
{
"name": "[zeppelin-users] 20210928 Re: CVE-2021-27578: Apache Zeppelin: Cross Site Scripting in markdown interpreter",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r31012f2c8e39a5e12e14c1de030012cb8b51c037d953d73b291b7b50%40%3Cusers.zeppelin.apache.org%3E"
},
{
"name": "GLSA-202311-04",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202311-04"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Zeppelin",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "0.9.0",
"status": "affected",
"version": "Apache Zeppelin",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Apache Zeppelin would like to thank Paulo Pacheco for reporting this issue "
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross Site Scripting vulnerability in markdown interpreter of Apache Zeppelin allows an attacker to inject malicious scripts. This issue affects Apache Zeppelin Apache Zeppelin versions prior to 0.9.0."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross Site Scripting",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-24T14:06:23.771497",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"url": "https://lists.apache.org/thread.html/r90590aa5ea788128ecc2e822e1e64d5200b4cb92b06707b38da4cb3d%40%3Cusers.zeppelin.apache.org%3E"
},
{
"name": "[zeppelin-users] 20210902 CVE-2021-27578: Apache Zeppelin: Cross Site Scripting in markdown interpreter",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/r90590aa5ea788128ecc2e822e1e64d5200b4cb92b06707b38da4cb3d%40%3Cusers.zeppelin.apache.org%3E"
},
{
"name": "[oss-security] 20210902 CVE-2021-27578: Apache Zeppelin: Cross Site Scripting in markdown interpreter",
"tags": [
"mailing-list"
],
"url": "http://www.openwall.com/lists/oss-security/2021/09/02/3"
},
{
"name": "[announce] 20210902 CVE-2021-27578: Apache Zeppelin: Cross Site Scripting in markdown interpreter",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/r90590aa5ea788128ecc2e822e1e64d5200b4cb92b06707b38da4cb3d%40%3Cannounce.apache.org%3E"
},
{
"name": "[zeppelin-users] 20210928 Re: CVE-2021-27578: Apache Zeppelin: Cross Site Scripting in markdown interpreter",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/r31012f2c8e39a5e12e14c1de030012cb8b51c037d953d73b291b7b50%40%3Cusers.zeppelin.apache.org%3E"
},
{
"name": "GLSA-202311-04",
"tags": [
"vendor-advisory"
],
"url": "https://security.gentoo.org/glsa/202311-04"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Cross Site Scripting in markdown interpreter",
"x_generator": {
"engine": "Vulnogram 0.0.9"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2021-27578",
"datePublished": "2021-09-02T00:00:00",
"dateReserved": "2021-02-23T00:00:00",
"dateUpdated": "2024-08-03T21:26:09.867Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-10095 (GCVE-0-2019-10095)
Vulnerability from cvelistv5
Published
2021-09-02 00:00
Modified
2024-08-04 22:10
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- bash command injection
Summary
bash command injection vulnerability in Apache Zeppelin allows an attacker to inject system commands into Spark interpreter settings. This issue affects Apache Zeppelin Apache Zeppelin version 0.9.0 and prior versions.
References
| ► | URL | Tags | ||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Zeppelin |
Version: Apache Zeppelin < |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T22:10:09.552Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rdf06e8423833b3daadc30c56a2ff47c48920864d5199476daa897208%40%3Cusers.zeppelin.apache.org%3E"
},
{
"name": "[zeppelin-users] 20210902 CVE-2019-10095: Apache Zeppelin: bash command injection in spark interpreter",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rdf06e8423833b3daadc30c56a2ff47c48920864d5199476daa897208%40%3Cusers.zeppelin.apache.org%3E"
},
{
"name": "[oss-security] 20210902 CVE-2019-10095: Apache Zeppelin: bash command injection in spark interpreter",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2021/09/02/1"
},
{
"name": "[announce] 20210902 CVE-2019-10095: Apache Zeppelin: bash command injection in spark interpreter",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rdf06e8423833b3daadc30c56a2ff47c48920864d5199476daa897208%40%3Cannounce.apache.org%3E"
},
{
"name": "[zeppelin-users] 20210928 Re: CVE-2019-10095: Apache Zeppelin: bash command injection in spark interpreter",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rd56389ba9cab30a6c976b9a4a6df0f85cbe8fba6a60a3cf6e3ba716b%40%3Cusers.zeppelin.apache.org%3E"
},
{
"name": "GLSA-202311-04",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202311-04"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Zeppelin",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "0.9.0",
"status": "affected",
"version": "Apache Zeppelin",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Apache Zeppelin would like to thank HERE Security team for reporting this issue "
}
],
"descriptions": [
{
"lang": "en",
"value": "bash command injection vulnerability in Apache Zeppelin allows an attacker to inject system commands into Spark interpreter settings. This issue affects Apache Zeppelin Apache Zeppelin version 0.9.0 and prior versions."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "bash command injection",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-24T14:06:20.416462",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"url": "https://lists.apache.org/thread.html/rdf06e8423833b3daadc30c56a2ff47c48920864d5199476daa897208%40%3Cusers.zeppelin.apache.org%3E"
},
{
"name": "[zeppelin-users] 20210902 CVE-2019-10095: Apache Zeppelin: bash command injection in spark interpreter",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/rdf06e8423833b3daadc30c56a2ff47c48920864d5199476daa897208%40%3Cusers.zeppelin.apache.org%3E"
},
{
"name": "[oss-security] 20210902 CVE-2019-10095: Apache Zeppelin: bash command injection in spark interpreter",
"tags": [
"mailing-list"
],
"url": "http://www.openwall.com/lists/oss-security/2021/09/02/1"
},
{
"name": "[announce] 20210902 CVE-2019-10095: Apache Zeppelin: bash command injection in spark interpreter",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/rdf06e8423833b3daadc30c56a2ff47c48920864d5199476daa897208%40%3Cannounce.apache.org%3E"
},
{
"name": "[zeppelin-users] 20210928 Re: CVE-2019-10095: Apache Zeppelin: bash command injection in spark interpreter",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/rd56389ba9cab30a6c976b9a4a6df0f85cbe8fba6a60a3cf6e3ba716b%40%3Cusers.zeppelin.apache.org%3E"
},
{
"name": "GLSA-202311-04",
"tags": [
"vendor-advisory"
],
"url": "https://security.gentoo.org/glsa/202311-04"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "bash command injection in spark interpreter",
"x_generator": {
"engine": "Vulnogram 0.0.9"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2019-10095",
"datePublished": "2021-09-02T00:00:00",
"dateReserved": "2019-03-26T00:00:00",
"dateUpdated": "2024-08-04T22:10:09.552Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-52279 (GCVE-0-2024-52279)
Vulnerability from cvelistv5
Published
2025-08-03 10:02
Modified
2025-08-05 15:25
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-20 - Improper Input Validation
Summary
Improper Input Validation vulnerability in Apache Zeppelin. The fix for JDBC URL validation in CVE-2024-31864 did not account for URL encoded input.
This issue affects Apache Zeppelin: from 0.11.1 before 0.12.0.
Users are recommended to upgrade to version 0.12.0, which fixes the issue.
References
| ► | URL | Tags | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Zeppelin |
Version: 0.11.1 ≤ |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-52279",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-05T15:24:44.320475Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-05T15:25:06.848Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "org.apache.zeppelin:zeppelin-jdbc",
"product": "Apache Zeppelin",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "0.12.0",
"status": "affected",
"version": "0.11.1",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "H Ming"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eImproper Input Validation vulnerability in Apache Zeppelin. The fix for JDBC URL validation in CVE-2024-31864 did not account for URL encoded input.\u003c/p\u003e\u003cp\u003eThis issue affects Apache Zeppelin: from 0.11.1 before 0.12.0.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 0.12.0, which fixes the issue.\u003c/p\u003e"
}
],
"value": "Improper Input Validation vulnerability in Apache Zeppelin. The fix for JDBC URL validation in CVE-2024-31864 did not account for URL encoded input.\n\nThis issue affects Apache Zeppelin: from 0.11.1 before 0.12.0.\n\nUsers are recommended to upgrade to version 0.12.0, which fixes the issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-03T10:02:05.153Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/apache/zeppelin/pull/4838"
},
{
"tags": [
"issue-tracking"
],
"url": "https://issues.apache.org/jira/browse/ZEPPELIN-6095"
},
{
"tags": [
"issue-tracking"
],
"url": "https://www.cve.org/CVERecord?id=CVE-2024-31864"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/dxb98vgrb21rrl3k0fzonpk66onr6o4q"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache Zeppelin: Arbitrary file read by adding malicious JDBC connection string",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-52279",
"datePublished": "2025-08-03T10:02:05.153Z",
"dateReserved": "2024-11-06T09:19:55.078Z",
"dateUpdated": "2025-08-05T15:25:06.848Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-46870 (GCVE-0-2022-46870)
Vulnerability from cvelistv5
Published
2022-12-16 12:55
Modified
2025-04-17 15:36
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache Zeppelin allows logged-in users to execute arbitrary javascript in other users' browsers.
This issue affects Apache Zeppelin before 0.8.2. Users are recommended to upgrade to a supported version of Zeppelin.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Zeppelin |
Version: 0 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T14:39:39.095Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/gb1wdnrm1095xw6qznpsycfrht4lwbwc"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-46870",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-17T15:36:02.123744Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-17T15:36:28.153Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache Zeppelin",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "0.8.2",
"status": "affected",
"version": "0",
"versionType": "maven"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in Apache Zeppelin allows logged-in users to execute arbitrary javascript in other users\u0027 browsers.\u003cbr\u003e\u003cp\u003eThis issue affects Apache Zeppelin before 0.8.2. Users are recommended to upgrade to a supported version of Zeppelin.\u003cbr\u003e\u003c/p\u003e"
}
],
"value": "An Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in Apache Zeppelin allows logged-in users to execute arbitrary javascript in other users\u0027 browsers.\nThis issue affects Apache Zeppelin before 0.8.2. Users are recommended to upgrade to a supported version of Zeppelin.\n\n\n"
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-12-16T12:55:37.597Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/gb1wdnrm1095xw6qznpsycfrht4lwbwc"
}
],
"source": {
"defect": [
"ZEPPELIN-4333"
],
"discovery": "UNKNOWN"
},
"title": "Apache Zeppelin: Stored XSS in note permissions",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2022-46870",
"datePublished": "2022-12-16T12:55:37.597Z",
"dateReserved": "2022-12-09T14:04:31.289Z",
"dateUpdated": "2025-04-17T15:36:28.153Z",
"requesterUserId": "cf81350d-439c-4450-9d42-0a054bb6b6c9",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-13929 (GCVE-0-2020-13929)
Vulnerability from cvelistv5
Published
2021-09-02 00:00
Modified
2024-08-04 12:32
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- authentication bypass
Summary
Authentication bypass vulnerability in Apache Zeppelin allows an attacker to bypass Zeppelin authentication mechanism to act as another user. This issue affects Apache Zeppelin Apache Zeppelin version 0.9.0 and prior versions.
References
| ► | URL | Tags | ||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Zeppelin |
Version: Apache Zeppelin < |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T12:32:14.441Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r768800925d6407a6a87ccae0ec98776b7bda50c0e3ed3d0130dad028%40%3Cusers.zeppelin.apache.org%3E"
},
{
"name": "[zeppelin-users] 20210902 CVE-2020-13929: Apache Zeppelin: Notebook permissions bypass",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r768800925d6407a6a87ccae0ec98776b7bda50c0e3ed3d0130dad028%40%3Cusers.zeppelin.apache.org%3E"
},
{
"name": "[oss-security] 20210902 CVE-2020-13929: Apache Zeppelin: Notebook permissions bypass",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2021/09/02/2"
},
{
"name": "[announce] 20210902 CVE-2020-13929: Apache Zeppelin: Notebook permissions bypass",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r768800925d6407a6a87ccae0ec98776b7bda50c0e3ed3d0130dad028%40%3Cannounce.apache.org%3E"
},
{
"name": "[zeppelin-users] 20210928 Re: CVE-2020-13929: Apache Zeppelin: Notebook permissions bypass",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r99529e175a7c1c9a26bd41a02802c8af7aa97319fe561874627eb999%40%3Cusers.zeppelin.apache.org%3E"
},
{
"name": "GLSA-202311-04",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202311-04"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Zeppelin",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "0.9.0",
"status": "affected",
"version": "Apache Zeppelin",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Apache Zeppelin would like to thank David Woodhouse for reporting this issue "
}
],
"descriptions": [
{
"lang": "en",
"value": "Authentication bypass vulnerability in Apache Zeppelin allows an attacker to bypass Zeppelin authentication mechanism to act as another user. This issue affects Apache Zeppelin Apache Zeppelin version 0.9.0 and prior versions."
}
],
"metrics": [
{
"other": {
"content": {
"other": "critical"
},
"type": "unknown"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "authentication bypass",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-24T14:06:22.066265",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"url": "https://lists.apache.org/thread.html/r768800925d6407a6a87ccae0ec98776b7bda50c0e3ed3d0130dad028%40%3Cusers.zeppelin.apache.org%3E"
},
{
"name": "[zeppelin-users] 20210902 CVE-2020-13929: Apache Zeppelin: Notebook permissions bypass",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/r768800925d6407a6a87ccae0ec98776b7bda50c0e3ed3d0130dad028%40%3Cusers.zeppelin.apache.org%3E"
},
{
"name": "[oss-security] 20210902 CVE-2020-13929: Apache Zeppelin: Notebook permissions bypass",
"tags": [
"mailing-list"
],
"url": "http://www.openwall.com/lists/oss-security/2021/09/02/2"
},
{
"name": "[announce] 20210902 CVE-2020-13929: Apache Zeppelin: Notebook permissions bypass",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/r768800925d6407a6a87ccae0ec98776b7bda50c0e3ed3d0130dad028%40%3Cannounce.apache.org%3E"
},
{
"name": "[zeppelin-users] 20210928 Re: CVE-2020-13929: Apache Zeppelin: Notebook permissions bypass",
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread.html/r99529e175a7c1c9a26bd41a02802c8af7aa97319fe561874627eb999%40%3Cusers.zeppelin.apache.org%3E"
},
{
"name": "GLSA-202311-04",
"tags": [
"vendor-advisory"
],
"url": "https://security.gentoo.org/glsa/202311-04"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Notebook permissions bypass",
"x_generator": {
"engine": "Vulnogram 0.0.9"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2020-13929",
"datePublished": "2021-09-02T00:00:00",
"dateReserved": "2020-06-08T00:00:00",
"dateUpdated": "2024-08-04T12:32:14.441Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-51775 (GCVE-0-2024-51775)
Vulnerability from cvelistv5
Published
2025-08-03 10:13
Modified
2025-08-05 15:24
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-1385 - Missing Origin Validation in WebSockets
Summary
Missing Origin Validation in WebSockets vulnerability in Apache Zeppelin.
The attacker could access the Zeppelin server from another origin without any restriction, and get internal information about paragraphs.
This issue affects Apache Zeppelin: from 0.11.1 before 0.12.0.
Users are recommended to upgrade to version 0.12.0, which fixes the issue.
References
| ► | URL | Tags |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Zeppelin |
Version: 0.11.1 ≤ |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-51775",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-05T15:23:52.792934Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-05T15:24:11.780Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "org.apache.zeppelin:zeppelin-shell",
"product": "Apache Zeppelin",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "0.12.0",
"status": "affected",
"version": "0.11.1",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Calum Hutton"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMissing Origin Validation in WebSockets vulnerability in Apache Zeppelin.\u003c/p\u003eThe attacker could access the Zeppelin server from another origin without any restriction, and get internal information about paragraphs.\u0026nbsp;\u003cbr\u003e\u003cp\u003eThis issue affects Apache Zeppelin: from 0.11.1 before 0.12.0.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 0.12.0, which fixes the issue.\u003c/p\u003e"
}
],
"value": "Missing Origin Validation in WebSockets vulnerability in Apache Zeppelin.\n\nThe attacker could access the Zeppelin server from another origin without any restriction, and get internal information about paragraphs.\u00a0\nThis issue affects Apache Zeppelin: from 0.11.1 before 0.12.0.\n\nUsers are recommended to upgrade to version 0.12.0, which fixes the issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1385",
"description": "CWE-1385 Missing Origin Validation in WebSockets",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-03T10:13:17.467Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/apache/zeppelin/pull/4823"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache Zeppelin: Command Injection via CSWSH",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-51775",
"datePublished": "2025-08-03T10:13:17.467Z",
"dateReserved": "2024-11-02T13:39:42.909Z",
"dateUpdated": "2025-08-05T15:24:11.780Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-31868 (GCVE-0-2024-31868)
Vulnerability from cvelistv5
Published
2024-04-09 16:10
Modified
2024-11-04 16:12
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
Improper Encoding or Escaping of Output vulnerability in Apache Zeppelin.
The attackers can modify helium.json and exposure XSS attacks to normal users.
This issue affects Apache Zeppelin: from 0.8.2 before 0.11.1.
Users are recommended to upgrade to version 0.11.1, which fixes the issue.
References
| ► | URL | Tags |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Zeppelin |
Version: 0.8.2 ≤ |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-31868",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-04-11T17:24:09.912394Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-04T16:12:40.294Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:59:50.569Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"patch",
"x_transferred"
],
"url": "https://github.com/apache/zeppelin/pull/4728"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/55mqs673plsxmgnq7fdf2flftpllyf11"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/04/09/11"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "org.apache.zeppelin:zeppelin-interpreter",
"product": "Apache Zeppelin",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "0.11.1",
"status": "affected",
"version": "0.8.2",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "H Ming"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Encoding or Escaping of Output vulnerability in Apache Zeppelin.\u003cbr\u003e\u003cbr\u003eThe attackers can modify helium.json and exposure XSS attacks to normal users.\u003cbr\u003e\u003cp\u003eThis issue affects Apache Zeppelin: from 0.8.2 before 0.11.1.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 0.11.1, which fixes the issue.\u003c/p\u003e"
}
],
"value": "Improper Encoding or Escaping of Output vulnerability in Apache Zeppelin.\n\nThe attackers can modify helium.json and exposure XSS attacks to normal users.\nThis issue affects Apache Zeppelin: from 0.8.2 before 0.11.1.\n\nUsers are recommended to upgrade to version 0.11.1, which fixes the issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-03T12:35:16.585Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/apache/zeppelin/pull/4728"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/55mqs673plsxmgnq7fdf2flftpllyf11"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache Zeppelin: XSS vulnerability in the helium module",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-31868",
"datePublished": "2024-04-09T16:10:30.671Z",
"dateReserved": "2024-04-06T11:51:21.885Z",
"dateUpdated": "2024-11-04T16:12:40.294Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-41169 (GCVE-0-2024-41169)
Vulnerability from cvelistv5
Published
2025-07-12 16:22
Modified
2025-07-14 15:42
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-664 - Improper Control of a Resource Through its Lifetime
Summary
The attacker can use the raft server protocol in an unauthenticated way. The attacker can see the server's resources, including directories and files.
This issue affects Apache Zeppelin: from 0.10.1 up to 0.12.0.
Users are recommended to upgrade to version 0.12.0, which fixes the issue by removing the Cluster Interpreter.
References
| ► | URL | Tags |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Zeppelin |
Version: 0.10.1 ≤ |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-41169",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-14T15:41:04.363543Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-14T15:42:07.486Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "org.apache.zeppelin:zeppelin-server",
"product": "Apache Zeppelin",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "0.12.0",
"status": "affected",
"version": "0.10.1",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "SuperX \u003csuperxyyang@gmail.com\u003e"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe attacker can use the raft server protocol in an unauthenticated way. The attacker can see the server\u0027s resources, including directories and files.\u003c/p\u003e\u003cp\u003eThis issue affects Apache Zeppelin: from 0.10.1 up to 0.12.0.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 0.12.0,\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003ewhich fixes the issue by removing the Cluster Interpreter.\u003c/span\u003e\u003c/p\u003e"
}
],
"value": "The attacker can use the raft server protocol in an unauthenticated way. The attacker can see the server\u0027s resources, including directories and files.\n\nThis issue affects Apache Zeppelin: from 0.10.1 up to 0.12.0.\n\nUsers are recommended to upgrade to version 0.12.0,\u00a0which fixes the issue by removing the Cluster Interpreter."
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-664",
"description": "CWE-664 Improper Control of a Resource Through its Lifetime",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-12T16:22:35.724Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/apache/zeppelin/pull/4841"
},
{
"tags": [
"issue-tracking"
],
"url": "https://issues.apache.org/jira/browse/ZEPPELIN-6101"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/moyym04993c8owh4h0qj98r43tbo8qdd"
}
],
"source": {
"advisory": "ZEPPELIN-6101",
"defect": [
"https://issues.apache.org/jira/browse/ZEPPELIN-6101"
],
"discovery": "UNKNOWN"
},
"title": "Apache Zeppelin: raft directory listing and file read",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-41169",
"datePublished": "2025-07-12T16:22:35.724Z",
"dateReserved": "2024-07-17T08:42:21.067Z",
"dateUpdated": "2025-07-14T15:42:07.486Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-31864 (GCVE-0-2024-31864)
Vulnerability from cvelistv5
Published
2024-04-09 16:05
Modified
2025-02-13 17:48
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-94 - Improper Control of Generation of Code ('Code Injection')
Summary
Improper Control of Generation of Code ('Code Injection') vulnerability in Apache Zeppelin.
The attacker can inject sensitive configuration or malicious code when connecting MySQL database via JDBC driver.
This issue affects Apache Zeppelin: before 0.11.1.
Users are recommended to upgrade to version 0.11.1, which fixes the issue.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Zeppelin |
Version: 0 ≤ |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apache:zeppelin:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "zeppelin",
"vendor": "apache",
"versions": [
{
"lessThan": "0.11.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-31864",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-31T21:01:13.020171Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-31T21:03:11.993Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:59:50.140Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"patch",
"x_transferred"
],
"url": "https://github.com/apache/zeppelin/pull/4709"
},
{
"tags": [
"related",
"x_transferred"
],
"url": "https://www.cve.org/CVERecord?id=CVE-2020-11974"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/752qdk0rnkd9nqtornz734zwb7xdwcdb"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/04/09/8"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"product": "Apache Zeppelin",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "0.11.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "rg"
},
{
"lang": "en",
"type": "finder",
"value": "Nbxiglk"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Control of Generation of Code (\u0027Code Injection\u0027) vulnerability in Apache Zeppelin.\u003cbr\u003e\u003cbr\u003eThe attacker can inject sensitive configuration or malicious code when connecting MySQL database via JDBC driver.\u003cbr\u003e\u003cp\u003eThis issue affects Apache Zeppelin: before 0.11.1.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 0.11.1, which fixes the issue.\u003c/p\u003e"
}
],
"value": "Improper Control of Generation of Code (\u0027Code Injection\u0027) vulnerability in Apache Zeppelin.\n\nThe attacker can inject sensitive configuration or malicious code when connecting MySQL database via JDBC driver.\nThis issue affects Apache Zeppelin: before 0.11.1.\n\nUsers are recommended to upgrade to version 0.11.1, which fixes the issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-01T18:11:46.568Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/apache/zeppelin/pull/4709"
},
{
"tags": [
"related"
],
"url": "https://www.cve.org/CVERecord?id=CVE-2020-11974"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/752qdk0rnkd9nqtornz734zwb7xdwcdb"
},
{
"url": "http://www.openwall.com/lists/oss-security/2024/04/09/8"
}
],
"source": {
"defect": [
"ZEPPELIN-5990"
],
"discovery": "UNKNOWN"
},
"title": "Apache Zeppelin: Remote code execution by adding malicious JDBC connection string",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-31864",
"datePublished": "2024-04-09T16:05:32.690Z",
"dateReserved": "2024-04-06T11:50:37.125Z",
"dateUpdated": "2025-02-13T17:48:06.183Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-12619 (GCVE-0-2017-12619)
Vulnerability from cvelistv5
Published
2019-04-23 14:45
Modified
2024-08-05 18:43
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Session Fixation
Summary
Apache Zeppelin prior to 0.7.3 was vulnerable to session fixation which allowed an attacker to hijack a valid user session. Issue was reported by "stone lone".
References
| ► | URL | Tags | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Zeppelin |
Version: prior to 0.7.3 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T18:43:56.428Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[zeppelin-users] 20190423 Issues fixed in previous releases of Apache Zeppelin 0.7.3 and 0.8.0 (CVE-2017-12619 CVE-2018-1317 CVE-2018-1328)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/ff6b995a5a3ba8db4d6b14b4d9dd487e7bf2e3bdd5b375b64a25fd06%40%3Cusers.zeppelin.apache.org%3E"
},
{
"name": "[oss-security] 20190423 Issues fixed in previous releases of Apache Zeppelin 0.7.3 and 0.8.0 (CVE-2017-12619 CVE-2018-1317 CVE-2018-1328)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2019/04/23/1"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://zeppelin.apache.org/releases/zeppelin-release-0.7.3.html"
},
{
"name": "108050",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/108050"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Zeppelin",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "prior to 0.7.3"
}
]
}
],
"datePublic": "2019-04-23T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Apache Zeppelin prior to 0.7.3 was vulnerable to session fixation which allowed an attacker to hijack a valid user session. Issue was reported by \"stone lone\"."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Session Fixation",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-04-24T10:05:59",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"name": "[zeppelin-users] 20190423 Issues fixed in previous releases of Apache Zeppelin 0.7.3 and 0.8.0 (CVE-2017-12619 CVE-2018-1317 CVE-2018-1328)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/ff6b995a5a3ba8db4d6b14b4d9dd487e7bf2e3bdd5b375b64a25fd06%40%3Cusers.zeppelin.apache.org%3E"
},
{
"name": "[oss-security] 20190423 Issues fixed in previous releases of Apache Zeppelin 0.7.3 and 0.8.0 (CVE-2017-12619 CVE-2018-1317 CVE-2018-1328)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2019/04/23/1"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://zeppelin.apache.org/releases/zeppelin-release-0.7.3.html"
},
{
"name": "108050",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/108050"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2017-12619",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Zeppelin",
"version": {
"version_data": [
{
"version_value": "prior to 0.7.3"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Apache Zeppelin prior to 0.7.3 was vulnerable to session fixation which allowed an attacker to hijack a valid user session. Issue was reported by \"stone lone\"."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Session Fixation"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[zeppelin-users] 20190423 Issues fixed in previous releases of Apache Zeppelin 0.7.3 and 0.8.0 (CVE-2017-12619 CVE-2018-1317 CVE-2018-1328)",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/ff6b995a5a3ba8db4d6b14b4d9dd487e7bf2e3bdd5b375b64a25fd06@%3Cusers.zeppelin.apache.org%3E"
},
{
"name": "[oss-security] 20190423 Issues fixed in previous releases of Apache Zeppelin 0.7.3 and 0.8.0 (CVE-2017-12619 CVE-2018-1317 CVE-2018-1328)",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2019/04/23/1"
},
{
"name": "https://zeppelin.apache.org/releases/zeppelin-release-0.7.3.html",
"refsource": "MISC",
"url": "https://zeppelin.apache.org/releases/zeppelin-release-0.7.3.html"
},
{
"name": "108050",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/108050"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2017-12619",
"datePublished": "2019-04-23T14:45:16",
"dateReserved": "2017-08-07T00:00:00",
"dateUpdated": "2024-08-05T18:43:56.428Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-31863 (GCVE-0-2024-31863)
Vulnerability from cvelistv5
Published
2024-04-09 10:25
Modified
2025-03-25 18:21
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-290 - Authentication Bypass by Spoofing
Summary
Authentication Bypass by Spoofing vulnerability by replacing to exsiting notes in Apache Zeppelin.This issue affects Apache Zeppelin: from 0.10.1 before 0.11.0.
Users are recommended to upgrade to version 0.11.0, which fixes the issue.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Zeppelin |
Version: 0.10.1 ≤ |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apache:zeppelin:0.10.1:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "zeppelin",
"vendor": "apache",
"versions": [
{
"lessThan": "0.11.0",
"status": "affected",
"version": "0.10.1",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-31863",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-25T18:20:37.629974Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-25T18:21:05.668Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:59:50.072Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/3od2gfpwllmtc9c5ggw04ohn8s7w3ct9"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/04/09/6"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "org.apache.zeppelin:zeppelin-server",
"product": "Apache Zeppelin",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "0.11.0",
"status": "affected",
"version": "0.10.1",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Esa Hiltunen"
},
{
"lang": "en",
"type": "finder",
"value": "https://teragrep.com"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Authentication Bypass by Spoofing vulnerability by replacing to exsiting notes in Apache Zeppelin.\u003cp\u003eThis issue affects Apache Zeppelin: from 0.10.1 before 0.11.0.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 0.11.0, which fixes the issue.\u003c/p\u003e"
}
],
"value": "Authentication Bypass by Spoofing vulnerability by replacing to exsiting notes in Apache Zeppelin.This issue affects Apache Zeppelin: from 0.10.1 before 0.11.0.\n\nUsers are recommended to upgrade to version 0.11.0, which fixes the issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-290",
"description": "CWE-290 Authentication Bypass by Spoofing",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-01T18:11:32.685Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/3od2gfpwllmtc9c5ggw04ohn8s7w3ct9"
},
{
"url": "http://www.openwall.com/lists/oss-security/2024/04/09/6"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache Zeppelin: Replacing other users notebook, bypassing any permissions",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-31863",
"datePublished": "2024-04-09T10:25:29.449Z",
"dateReserved": "2024-04-06T11:50:24.687Z",
"dateUpdated": "2025-03-25T18:21:05.668Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-31862 (GCVE-0-2024-31862)
Vulnerability from cvelistv5
Published
2024-04-09 09:40
Modified
2025-02-13 17:48
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-20 - Improper Input Validation
Summary
Improper Input Validation vulnerability in Apache Zeppelin when creating a new note from Zeppelin's UI.This issue affects Apache Zeppelin: from 0.10.1 before 0.11.0.
Users are recommended to upgrade to version 0.11.0, which fixes the issue.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Zeppelin |
Version: 0.10.1 ≤ |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:59:49.405Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"patch",
"x_transferred"
],
"url": "https://github.com/apache/zeppelin/pull/4632"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/73xdjx43yg4yz8bd4p3o8vzyybkysmn0"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/04/09/5"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apache:zeppelin:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "zeppelin",
"vendor": "apache",
"versions": [
{
"lessThan": "0.11.0",
"status": "affected",
"version": "0.10.1",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-31862",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-21T14:23:58.003132Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-21T14:30:40.495Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "org.apache.zeppelin:zeppelin-server",
"product": "Apache Zeppelin",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "0.11.0",
"status": "affected",
"version": "0.10.1",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Esa Hiltunen"
},
{
"lang": "en",
"type": "finder",
"value": "https://teragrep.com"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Input Validation vulnerability in Apache Zeppelin when creating a new note from Zeppelin\u0027s UI.\u003cp\u003eThis issue affects Apache Zeppelin: from 0.10.1 before 0.11.0.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 0.11.0, which fixes the issue.\u003c/p\u003e"
}
],
"value": "Improper Input Validation vulnerability in Apache Zeppelin when creating a new note from Zeppelin\u0027s UI.This issue affects Apache Zeppelin: from 0.10.1 before 0.11.0.\n\nUsers are recommended to upgrade to version 0.11.0, which fixes the issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-01T19:07:45.971Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/apache/zeppelin/pull/4632"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/73xdjx43yg4yz8bd4p3o8vzyybkysmn0"
},
{
"url": "http://www.openwall.com/lists/oss-security/2024/04/09/5"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache Zeppelin: Denial of service with invalid notebook name",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-31862",
"datePublished": "2024-04-09T09:40:39.495Z",
"dateReserved": "2024-04-06T11:50:12.789Z",
"dateUpdated": "2025-02-13T17:48:04.941Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-31867 (GCVE-0-2024-31867)
Vulnerability from cvelistv5
Published
2024-04-09 16:15
Modified
2025-02-13 17:52
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-20 - Improper Input Validation
Summary
Improper Input Validation vulnerability in Apache Zeppelin.
The attackers can execute malicious queries by setting improper configuration properties to LDAP search filter.
This issue affects Apache Zeppelin: from 0.8.2 before 0.11.1.
Users are recommended to upgrade to version 0.11.1, which fixes the issue.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Zeppelin |
Version: 0.8.2 ≤ |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-31867",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-04-10T19:22:49.563785Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-06T20:51:43.890Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:59:49.387Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"patch",
"x_transferred"
],
"url": "https://github.com/apache/zeppelin/pull/4714"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/s4scw8bxdhrjs0kg0lhb68xqd8y9lrtf"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/04/09/12"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "org.apache.zeppelin:zeppelin-server",
"product": "Apache Zeppelin",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "0.11.1",
"status": "affected",
"version": "0.8.2",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Qing Xu"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Input Validation vulnerability in Apache Zeppelin.\u003cbr\u003e\u003cbr\u003eThe attackers can execute malicious queries by setting improper configuration properties to LDAP search filter.\u003cbr\u003e\u003cp\u003eThis issue affects Apache Zeppelin: from 0.8.2 before 0.11.1.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 0.11.1, which fixes the issue.\u003c/p\u003e"
}
],
"value": "Improper Input Validation vulnerability in Apache Zeppelin.\n\nThe attackers can execute malicious queries by setting improper configuration properties to LDAP search filter.\nThis issue affects Apache Zeppelin: from 0.8.2 before 0.11.1.\n\nUsers are recommended to upgrade to version 0.11.1, which fixes the issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-01T18:07:13.058Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/apache/zeppelin/pull/4714"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/s4scw8bxdhrjs0kg0lhb68xqd8y9lrtf"
},
{
"url": "http://www.openwall.com/lists/oss-security/2024/04/09/12"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache Zeppelin: LDAP search filter query Injection Vulnerability",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-31867",
"datePublished": "2024-04-09T16:15:47.978Z",
"dateReserved": "2024-04-06T11:51:11.435Z",
"dateUpdated": "2025-02-13T17:52:00.183Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-1317 (GCVE-0-2018-1317)
Vulnerability from cvelistv5
Published
2019-04-23 14:45
Modified
2024-08-05 03:59
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Improper Authentication
Summary
In Apache Zeppelin prior to 0.8.0 the cron scheduler was enabled by default and could allow users to run paragraphs as other users without authentication.
References
| ► | URL | Tags | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Zeppelin |
Version: prior to 0.8.0 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T03:59:38.240Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[zeppelin-users] 20190423 Issues fixed in previous releases of Apache Zeppelin 0.7.3 and 0.8.0 (CVE-2017-12619 CVE-2018-1317 CVE-2018-1328)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/ff6b995a5a3ba8db4d6b14b4d9dd487e7bf2e3bdd5b375b64a25fd06%40%3Cusers.zeppelin.apache.org%3E"
},
{
"name": "[oss-security] 20190423 Issues fixed in previous releases of Apache Zeppelin 0.7.3 and 0.8.0 (CVE-2017-12619 CVE-2018-1317 CVE-2018-1328)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2019/04/23/1"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://zeppelin.apache.org/releases/zeppelin-release-0.8.0.html"
},
{
"name": "108047",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/108047"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Zeppelin",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "prior to 0.8.0"
}
]
}
],
"datePublic": "2019-04-23T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "In Apache Zeppelin prior to 0.8.0 the cron scheduler was enabled by default and could allow users to run paragraphs as other users without authentication."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Improper Authentication",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-04-24T10:05:59",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"name": "[zeppelin-users] 20190423 Issues fixed in previous releases of Apache Zeppelin 0.7.3 and 0.8.0 (CVE-2017-12619 CVE-2018-1317 CVE-2018-1328)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/ff6b995a5a3ba8db4d6b14b4d9dd487e7bf2e3bdd5b375b64a25fd06%40%3Cusers.zeppelin.apache.org%3E"
},
{
"name": "[oss-security] 20190423 Issues fixed in previous releases of Apache Zeppelin 0.7.3 and 0.8.0 (CVE-2017-12619 CVE-2018-1317 CVE-2018-1328)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2019/04/23/1"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://zeppelin.apache.org/releases/zeppelin-release-0.8.0.html"
},
{
"name": "108047",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/108047"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2018-1317",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Zeppelin",
"version": {
"version_data": [
{
"version_value": "prior to 0.8.0"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Apache Zeppelin prior to 0.8.0 the cron scheduler was enabled by default and could allow users to run paragraphs as other users without authentication."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Improper Authentication"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[zeppelin-users] 20190423 Issues fixed in previous releases of Apache Zeppelin 0.7.3 and 0.8.0 (CVE-2017-12619 CVE-2018-1317 CVE-2018-1328)",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/ff6b995a5a3ba8db4d6b14b4d9dd487e7bf2e3bdd5b375b64a25fd06@%3Cusers.zeppelin.apache.org%3E"
},
{
"name": "[oss-security] 20190423 Issues fixed in previous releases of Apache Zeppelin 0.7.3 and 0.8.0 (CVE-2017-12619 CVE-2018-1317 CVE-2018-1328)",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2019/04/23/1"
},
{
"name": "https://zeppelin.apache.org/releases/zeppelin-release-0.8.0.html",
"refsource": "MISC",
"url": "https://zeppelin.apache.org/releases/zeppelin-release-0.8.0.html"
},
{
"name": "108047",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/108047"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2018-1317",
"datePublished": "2019-04-23T14:45:20",
"dateReserved": "2017-12-07T00:00:00",
"dateUpdated": "2024-08-05T03:59:38.240Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-28656 (GCVE-0-2021-28656)
Vulnerability from cvelistv5
Published
2024-04-09 09:12
Modified
2025-02-13 16:27
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Summary
Cross-Site Request Forgery (CSRF) vulnerability in Credential page of Apache Zeppelin allows an attacker to submit malicious request. This issue affects Apache Zeppelin Apache Zeppelin version 0.9.0 and prior versions.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Zeppelin |
Version: 0 ≤ 0.9.0 |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2021-28656",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-04-10T18:54:51.213129Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-01T15:40:01.147Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-03T21:47:32.969Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/dttzkkv4qyn1rq2fdv1r94otb1osxztc"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/04/09/3"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache Zeppelin",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "0.9.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jiang Qingzhi"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Cross-Site Request Forgery (CSRF) vulnerability in Credential page of Apache Zeppelin allows an attacker to submit malicious request. This issue affects Apache Zeppelin Apache Zeppelin version 0.9.0 and prior versions."
}
],
"value": "Cross-Site Request Forgery (CSRF) vulnerability in Credential page of Apache Zeppelin allows an attacker to submit malicious request. This issue affects Apache Zeppelin Apache Zeppelin version 0.9.0 and prior versions."
}
],
"metrics": [
{
"other": {
"content": {
"text": "low"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-01T17:08:57.522Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/dttzkkv4qyn1rq2fdv1r94otb1osxztc"
},
{
"url": "http://www.openwall.com/lists/oss-security/2024/04/09/3"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache Zeppelin: CSRF vulnerability in the Credentials page",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2021-28656",
"datePublished": "2024-04-09T09:12:58.493Z",
"dateReserved": "2021-03-17T08:27:58.338Z",
"dateUpdated": "2025-02-13T16:27:59.379Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-31860 (GCVE-0-2024-31860)
Vulnerability from cvelistv5
Published
2024-04-09 09:08
Modified
2025-05-06 13:12
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Summary
Improper Input Validation vulnerability in Apache Zeppelin.
By adding relative path indicators(E.g ..), attackers can see the contents for any files in the filesystem that the server account can access.
This issue affects Apache Zeppelin: from 0.9.0 before 0.11.0.
Users are recommended to upgrade to version 0.11.0, which fixes the issue.
References
| ► | URL | Tags |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Zeppelin |
Version: 0.9.0 ≤ |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apache:zeppelin:0.9.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "zeppelin",
"vendor": "apache",
"versions": [
{
"status": "affected",
"version": "0.9.0"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-31860",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-04-22T18:40:26.643857Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:36:17.512Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:59:49.933Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"patch",
"x_transferred"
],
"url": "https://github.com/apache/zeppelin/pull/4632"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/c0zfjnow3oc3dzc8w5rbkzj8lqj5jm5x"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/04/09/2"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "org.apache.zeppelin:zeppelin-server",
"product": "Apache Zeppelin",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "0.11.0",
"status": "affected",
"version": "0.9.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Kai Zhao"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Input Validation vulnerability in Apache Zeppelin.\u003cbr\u003e\u003cbr\u003eBy adding relative path indicators(E.g ..), attackers can see the contents for any files in the filesystem that the server account can access.\u0026nbsp;\u003cbr\u003e\u003cp\u003eThis issue affects Apache Zeppelin: from 0.9.0 before 0.11.0.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 0.11.0, which fixes the issue.\u003c/p\u003e"
}
],
"value": "Improper Input Validation vulnerability in Apache Zeppelin.\n\nBy adding relative path indicators(E.g ..), attackers can see the contents for any files in the filesystem that the server account can access.\u00a0\nThis issue affects Apache Zeppelin: from 0.9.0 before 0.11.0.\n\nUsers are recommended to upgrade to version 0.11.0, which fixes the issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "low"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-06T13:12:31.467Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/apache/zeppelin/pull/4632"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/c0zfjnow3oc3dzc8w5rbkzj8lqj5jm5x"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache Zeppelin: Path traversal vulnerability",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-31860",
"datePublished": "2024-04-09T09:08:28.802Z",
"dateReserved": "2024-04-06T11:49:32.612Z",
"dateUpdated": "2025-05-06T13:12:31.467Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}