Vulnerabilites related to apache - zeppelin
Vulnerability from fkie_nvd
Published
2019-04-23 15:29
Modified
2024-11-21 03:59
Severity ?
Summary
Apache Zeppelin prior to 0.8.0 had a stored XSS issue via Note permissions. Issue reported by "Josna Joseph".
References
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:apache:zeppelin:*:*:*:*:*:*:*:*", matchCriteriaId: "7F9E5FBB-9543-419F-8CE5-1BA5C3832FBD", versionEndExcluding: "0.8.0", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Apache Zeppelin prior to 0.8.0 had a stored XSS issue via Note permissions. Issue reported by \"Josna Joseph\".", }, { lang: "es", value: "Apache Zeppelin,versión anterior a 0.8.0, tenía un problema de XSS almacenado a través de los permisos de Note. Número publicado por \"Josna Joseph\".", }, ], id: "CVE-2018-1328", lastModified: "2024-11-21T03:59:38.150", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 4.3, confidentialityImpact: "NONE", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:N/C:N/I:P/A:N", version: "2.0", }, exploitabilityScore: 8.6, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: true, }, ], cvssMetricV30: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.1, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", version: "3.0", }, exploitabilityScore: 2.8, impactScore: 2.7, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2019-04-23T15:29:00.497", references: [ { source: "security@apache.org", tags: [ "Mailing List", "Third Party Advisory", ], url: "http://www.openwall.com/lists/oss-security/2019/04/23/1", }, { source: "security@apache.org", tags: [ "Third Party Advisory", "VDB Entry", ], url: "http://www.securityfocus.com/bid/108047", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/ff6b995a5a3ba8db4d6b14b4d9dd487e7bf2e3bdd5b375b64a25fd06%40%3Cusers.zeppelin.apache.org%3E", }, { source: "security@apache.org", tags: [ "Vendor Advisory", ], url: "https://zeppelin.apache.org/releases/zeppelin-release-0.8.0.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", "Third Party Advisory", ], url: "http://www.openwall.com/lists/oss-security/2019/04/23/1", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", "VDB Entry", ], url: "http://www.securityfocus.com/bid/108047", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/ff6b995a5a3ba8db4d6b14b4d9dd487e7bf2e3bdd5b375b64a25fd06%40%3Cusers.zeppelin.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://zeppelin.apache.org/releases/zeppelin-release-0.8.0.html", }, ], sourceIdentifier: "security@apache.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-79", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2019-04-23 15:29
Modified
2024-11-21 03:59
Severity ?
Summary
In Apache Zeppelin prior to 0.8.0 the cron scheduler was enabled by default and could allow users to run paragraphs as other users without authentication.
References
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:apache:zeppelin:*:*:*:*:*:*:*:*", matchCriteriaId: "7F9E5FBB-9543-419F-8CE5-1BA5C3832FBD", versionEndExcluding: "0.8.0", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "In Apache Zeppelin prior to 0.8.0 the cron scheduler was enabled by default and could allow users to run paragraphs as other users without authentication.", }, { lang: "es", value: "En Apache Zeppelin, versión anterior a 0.8.0, el programador de cron estaba habilitado por defecto y permitía a los usuarios ejecutar párrafos como otros usuarios sin necesidad de autenticación.", }, ], id: "CVE-2018-1317", lastModified: "2024-11-21T03:59:36.850", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "SINGLE", availabilityImpact: "PARTIAL", baseScore: 6.5, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:L/Au:S/C:P/I:P/A:P", version: "2.0", }, exploitabilityScore: 8, impactScore: 6.4, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV30: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.0", }, exploitabilityScore: 2.8, impactScore: 5.9, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2019-04-23T15:29:00.390", references: [ { source: "security@apache.org", tags: [ "Mailing List", "Release Notes", "Third Party Advisory", ], url: "http://www.openwall.com/lists/oss-security/2019/04/23/1", }, { source: "security@apache.org", tags: [ "Third Party Advisory", "VDB Entry", ], url: "http://www.securityfocus.com/bid/108047", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/ff6b995a5a3ba8db4d6b14b4d9dd487e7bf2e3bdd5b375b64a25fd06%40%3Cusers.zeppelin.apache.org%3E", }, { source: "security@apache.org", tags: [ "Release Notes", "Vendor Advisory", ], url: "https://zeppelin.apache.org/releases/zeppelin-release-0.8.0.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", "Release Notes", "Third Party Advisory", ], url: "http://www.openwall.com/lists/oss-security/2019/04/23/1", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", "VDB Entry", ], url: "http://www.securityfocus.com/bid/108047", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/ff6b995a5a3ba8db4d6b14b4d9dd487e7bf2e3bdd5b375b64a25fd06%40%3Cusers.zeppelin.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Release Notes", "Vendor Advisory", ], url: "https://zeppelin.apache.org/releases/zeppelin-release-0.8.0.html", }, ], sourceIdentifier: "security@apache.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-287", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2022-12-16 13:15
Modified
2024-11-21 07:31
Severity ?
Summary
An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache Zeppelin allows logged-in users to execute arbitrary javascript in other users' browsers.
This issue affects Apache Zeppelin before 0.8.2. Users are recommended to upgrade to a supported version of Zeppelin.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@apache.org | https://lists.apache.org/thread/gb1wdnrm1095xw6qznpsycfrht4lwbwc | Mailing List, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.apache.org/thread/gb1wdnrm1095xw6qznpsycfrht4lwbwc | Mailing List, Vendor Advisory |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:apache:zeppelin:*:*:*:*:*:*:*:*", matchCriteriaId: "4F2F0026-E844-4CC5-8875-27BBA4202B3C", versionEndExcluding: "0.8.2", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache Zeppelin allows logged-in users to execute arbitrary javascript in other users' browsers.\nThis issue affects Apache Zeppelin before 0.8.2. Users are recommended to upgrade to a supported version of Zeppelin.\n\n\n", }, { lang: "es", value: "Una vulnerabilidad de neutralización incorrecta de la entrada durante la generación de páginas web ('Cross-site Scripting') en Apache Zeppelin permite a los usuarios que han iniciado sesión ejecutar javascript arbitrario en los navegadores de otros usuarios. Este problema afecta a Apache Zeppelin antes de 0.8.2. Se recomienda a los usuarios actualizar a una versión compatible de Zeppelin.", }, ], id: "CVE-2022-46870", lastModified: "2024-11-21T07:31:12.807", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.4, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", version: "3.1", }, exploitabilityScore: 2.3, impactScore: 2.7, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2022-12-16T13:15:09.103", references: [ { source: "security@apache.org", tags: [ "Mailing List", "Vendor Advisory", ], url: "https://lists.apache.org/thread/gb1wdnrm1095xw6qznpsycfrht4lwbwc", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", "Vendor Advisory", ], url: "https://lists.apache.org/thread/gb1wdnrm1095xw6qznpsycfrht4lwbwc", }, ], sourceIdentifier: "security@apache.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-79", }, ], source: "security@apache.org", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2021-09-02 17:15
Modified
2024-11-21 05:02
Severity ?
Summary
Authentication bypass vulnerability in Apache Zeppelin allows an attacker to bypass Zeppelin authentication mechanism to act as another user. This issue affects Apache Zeppelin Apache Zeppelin version 0.9.0 and prior versions.
References
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:apache:zeppelin:*:*:*:*:*:*:*:*", matchCriteriaId: "26319B3A-B658-40AE-83DA-62FEDEA6D002", versionEndIncluding: "0.9.0", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Authentication bypass vulnerability in Apache Zeppelin allows an attacker to bypass Zeppelin authentication mechanism to act as another user. This issue affects Apache Zeppelin Apache Zeppelin version 0.9.0 and prior versions.", }, { lang: "es", value: "Una vulnerabilidad de omisión de autenticación en Apache Zeppelin permite a un atacante omitir el mecanismo de autenticación de Zeppelin para actuar como otro usuario. Este problema afecta a versión 0.9.0 de Apache Zeppelin y versiones anteriores", }, ], id: "CVE-2020-13929", lastModified: "2024-11-21T05:02:10.197", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 5, confidentialityImpact: "NONE", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:L/Au:N/C:N/I:P/A:N", version: "2.0", }, exploitabilityScore: 10, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 3.6, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2021-09-02T17:15:07.860", references: [ { source: "security@apache.org", tags: [ "Mailing List", "Third Party Advisory", ], url: "http://www.openwall.com/lists/oss-security/2021/09/02/2", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/r768800925d6407a6a87ccae0ec98776b7bda50c0e3ed3d0130dad028%40%3Cannounce.apache.org%3E", }, { source: "security@apache.org", tags: [ "Mailing List", "Vendor Advisory", ], url: "https://lists.apache.org/thread.html/r768800925d6407a6a87ccae0ec98776b7bda50c0e3ed3d0130dad028%40%3Cusers.zeppelin.apache.org%3E", }, { source: "security@apache.org", tags: [ "Mailing List", "Vendor Advisory", ], url: "https://lists.apache.org/thread.html/r768800925d6407a6a87ccae0ec98776b7bda50c0e3ed3d0130dad028%40%3Cusers.zeppelin.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/r99529e175a7c1c9a26bd41a02802c8af7aa97319fe561874627eb999%40%3Cusers.zeppelin.apache.org%3E", }, { source: "security@apache.org", url: "https://security.gentoo.org/glsa/202311-04", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", "Third Party Advisory", ], url: "http://www.openwall.com/lists/oss-security/2021/09/02/2", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r768800925d6407a6a87ccae0ec98776b7bda50c0e3ed3d0130dad028%40%3Cannounce.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", "Vendor Advisory", ], url: "https://lists.apache.org/thread.html/r768800925d6407a6a87ccae0ec98776b7bda50c0e3ed3d0130dad028%40%3Cusers.zeppelin.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", "Vendor Advisory", ], url: "https://lists.apache.org/thread.html/r768800925d6407a6a87ccae0ec98776b7bda50c0e3ed3d0130dad028%40%3Cusers.zeppelin.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r99529e175a7c1c9a26bd41a02802c8af7aa97319fe561874627eb999%40%3Cusers.zeppelin.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://security.gentoo.org/glsa/202311-04", }, ], sourceIdentifier: "security@apache.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "NVD-CWE-noinfo", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2024-04-09 11:15
Modified
2025-03-25 19:15
Severity ?
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Summary
Authentication Bypass by Spoofing vulnerability by replacing to exsiting notes in Apache Zeppelin.This issue affects Apache Zeppelin: from 0.10.1 before 0.11.0.
Users are recommended to upgrade to version 0.11.0, which fixes the issue.
References
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:apache:zeppelin:0.10.1:*:*:*:*:*:*:*", matchCriteriaId: "2A708A99-988D-485D-A762-BA4A119EE528", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Authentication Bypass by Spoofing vulnerability by replacing to exsiting notes in Apache Zeppelin.This issue affects Apache Zeppelin: from 0.10.1 before 0.11.0.\n\nUsers are recommended to upgrade to version 0.11.0, which fixes the issue.", }, { lang: "es", value: "Vulnerabilidad de omisión de autenticación mediante suplantación de identidad al reemplazar notas existentes en Apache Zeppelin. Este problema afecta a Apache Zeppelin: desde 0.10.1 antes de 0.11.0. Se recomienda a los usuarios actualizar a la versión 0.11.0, que soluciona el problema.", }, ], id: "CVE-2024-31863", lastModified: "2025-03-25T19:15:42.637", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 1.4, source: "nvd@nist.gov", type: "Primary", }, { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 1.4, source: "134c704f-9b21-4f2e-91b3-4a467353bcc0", type: "Secondary", }, ], }, published: "2024-04-09T11:15:31.713", references: [ { source: "security@apache.org", tags: [ "Mailing List", ], url: "http://www.openwall.com/lists/oss-security/2024/04/09/6", }, { source: "security@apache.org", tags: [ "Mailing List", ], url: "https://lists.apache.org/thread/3od2gfpwllmtc9c5ggw04ohn8s7w3ct9", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", ], url: "http://www.openwall.com/lists/oss-security/2024/04/09/6", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", ], url: "https://lists.apache.org/thread/3od2gfpwllmtc9c5ggw04ohn8s7w3ct9", }, ], sourceIdentifier: "security@apache.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-290", }, ], source: "security@apache.org", type: "Secondary", }, ], }
Vulnerability from fkie_nvd
Published
2021-09-02 17:15
Modified
2024-11-21 04:18
Severity ?
Summary
bash command injection vulnerability in Apache Zeppelin allows an attacker to inject system commands into Spark interpreter settings. This issue affects Apache Zeppelin Apache Zeppelin version 0.9.0 and prior versions.
References
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:apache:zeppelin:*:*:*:*:*:*:*:*", matchCriteriaId: "26319B3A-B658-40AE-83DA-62FEDEA6D002", versionEndIncluding: "0.9.0", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "bash command injection vulnerability in Apache Zeppelin allows an attacker to inject system commands into Spark interpreter settings. This issue affects Apache Zeppelin Apache Zeppelin version 0.9.0 and prior versions.", }, { lang: "es", value: "Una vulnerabilidad de inyección de comandos bash en Apache Zeppelin, permite a un atacante inyectar comandos del sistema en la configuración del intérprete de Spark. Este problema afecta a Apache Zeppelin Apache Zeppelin versión 0.9.0 y versiones anteriores", }, ], id: "CVE-2019-10095", lastModified: "2024-11-21T04:18:23.723", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "HIGH", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "COMPLETE", baseScore: 10, confidentialityImpact: "COMPLETE", integrityImpact: "COMPLETE", vectorString: "AV:N/AC:L/Au:N/C:C/I:C/A:C", version: "2.0", }, exploitabilityScore: 10, impactScore: 10, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 5.9, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2021-09-02T17:15:07.787", references: [ { source: "security@apache.org", tags: [ "Mailing List", "Third Party Advisory", ], url: "http://www.openwall.com/lists/oss-security/2021/09/02/1", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/rd56389ba9cab30a6c976b9a4a6df0f85cbe8fba6a60a3cf6e3ba716b%40%3Cusers.zeppelin.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/rdf06e8423833b3daadc30c56a2ff47c48920864d5199476daa897208%40%3Cannounce.apache.org%3E", }, { source: "security@apache.org", tags: [ "Mailing List", "Vendor Advisory", ], url: "https://lists.apache.org/thread.html/rdf06e8423833b3daadc30c56a2ff47c48920864d5199476daa897208%40%3Cusers.zeppelin.apache.org%3E", }, { source: "security@apache.org", tags: [ "Mailing List", "Vendor Advisory", ], url: "https://lists.apache.org/thread.html/rdf06e8423833b3daadc30c56a2ff47c48920864d5199476daa897208%40%3Cusers.zeppelin.apache.org%3E", }, { source: "security@apache.org", url: "https://security.gentoo.org/glsa/202311-04", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", "Third Party Advisory", ], url: "http://www.openwall.com/lists/oss-security/2021/09/02/1", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/rd56389ba9cab30a6c976b9a4a6df0f85cbe8fba6a60a3cf6e3ba716b%40%3Cusers.zeppelin.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/rdf06e8423833b3daadc30c56a2ff47c48920864d5199476daa897208%40%3Cannounce.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", "Vendor Advisory", ], url: "https://lists.apache.org/thread.html/rdf06e8423833b3daadc30c56a2ff47c48920864d5199476daa897208%40%3Cusers.zeppelin.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", "Vendor Advisory", ], url: "https://lists.apache.org/thread.html/rdf06e8423833b3daadc30c56a2ff47c48920864d5199476daa897208%40%3Cusers.zeppelin.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://security.gentoo.org/glsa/202311-04", }, ], sourceIdentifier: "security@apache.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-77", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2019-04-23 15:29
Modified
2024-11-21 03:09
Severity ?
Summary
Apache Zeppelin prior to 0.7.3 was vulnerable to session fixation which allowed an attacker to hijack a valid user session. Issue was reported by "stone lone".
References
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:apache:zeppelin:*:*:*:*:*:*:*:*", matchCriteriaId: "BAADB20F-7BF2-416E-81A2-354B86126B10", versionEndExcluding: "0.7.3", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Apache Zeppelin prior to 0.7.3 was vulnerable to session fixation which allowed an attacker to hijack a valid user session. Issue was reported by \"stone lone\".", }, { lang: "es", value: "Apache Zeppelin,versión anterior a 0.7.3, era vulnerable a la fijación de sesiones, lo que permitía a un atacante secuestrar una sesión de usuario válida. El tema fue reportado por \"stone lone\".", }, ], id: "CVE-2017-12619", lastModified: "2024-11-21T03:09:54.647", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 5.8, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:N/C:P/I:P/A:N", version: "2.0", }, exploitabilityScore: 8.6, impactScore: 4.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: true, }, ], cvssMetricV30: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 8.1, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", version: "3.0", }, exploitabilityScore: 2.8, impactScore: 5.2, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2019-04-23T15:29:00.233", references: [ { source: "security@apache.org", tags: [ "Mailing List", "Release Notes", "Third Party Advisory", ], url: "http://www.openwall.com/lists/oss-security/2019/04/23/1", }, { source: "security@apache.org", tags: [ "Third Party Advisory", "VDB Entry", ], url: "http://www.securityfocus.com/bid/108050", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/ff6b995a5a3ba8db4d6b14b4d9dd487e7bf2e3bdd5b375b64a25fd06%40%3Cusers.zeppelin.apache.org%3E", }, { source: "security@apache.org", tags: [ "Release Notes", "Vendor Advisory", ], url: "https://zeppelin.apache.org/releases/zeppelin-release-0.7.3.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", "Release Notes", "Third Party Advisory", ], url: "http://www.openwall.com/lists/oss-security/2019/04/23/1", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", "VDB Entry", ], url: "http://www.securityfocus.com/bid/108050", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/ff6b995a5a3ba8db4d6b14b4d9dd487e7bf2e3bdd5b375b64a25fd06%40%3Cusers.zeppelin.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Release Notes", "Vendor Advisory", ], url: "https://zeppelin.apache.org/releases/zeppelin-release-0.7.3.html", }, ], sourceIdentifier: "security@apache.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-384", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2022-12-16 13:15
Modified
2024-11-21 06:00
Severity ?
Summary
The improper Input Validation vulnerability in "”Move folder to Trash” feature of Apache Zeppelin allows an attacker to delete the arbitrary files. This issue affects Apache Zeppelin Apache Zeppelin version 0.9.0 and prior versions.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@apache.org | https://lists.apache.org/thread/bxs056g3xlsofz0jb3wny9dw4llwptd2 | Mailing List, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.apache.org/thread/bxs056g3xlsofz0jb3wny9dw4llwptd2 | Mailing List, Vendor Advisory |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:apache:zeppelin:*:*:*:*:*:*:*:*", matchCriteriaId: "26319B3A-B658-40AE-83DA-62FEDEA6D002", versionEndIncluding: "0.9.0", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "The improper Input Validation vulnerability in \"”Move folder to Trash” feature of Apache Zeppelin allows an attacker to delete the arbitrary files. This issue affects Apache Zeppelin Apache Zeppelin version 0.9.0 and prior versions.", }, { lang: "es", value: "La vulnerabilidad de validación de entrada incorrecta en la función \"Move folder to Trash\" de Apache Zeppelin permite a un atacante eliminar archivos arbitrarios. Este problema afecta a Apache Zeppelin Apache Zeppelin versión 0.9.0 y versiones anteriores.", }, ], id: "CVE-2021-28655", lastModified: "2024-11-21T06:00:02.277", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 2.5, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2022-12-16T13:15:08.723", references: [ { source: "security@apache.org", tags: [ "Mailing List", "Vendor Advisory", ], url: "https://lists.apache.org/thread/bxs056g3xlsofz0jb3wny9dw4llwptd2", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", "Vendor Advisory", ], url: "https://lists.apache.org/thread/bxs056g3xlsofz0jb3wny9dw4llwptd2", }, ], sourceIdentifier: "security@apache.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-20", }, ], source: "security@apache.org", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2021-09-02 17:15
Modified
2024-11-21 05:58
Severity ?
Summary
Cross Site Scripting vulnerability in markdown interpreter of Apache Zeppelin allows an attacker to inject malicious scripts. This issue affects Apache Zeppelin Apache Zeppelin versions prior to 0.9.0.
References
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:apache:zeppelin:*:*:*:*:*:*:*:*", matchCriteriaId: "BA0F4889-2BB4-47AA-AAF0-A2FC8E176F16", versionEndExcluding: "0.9.0", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Cross Site Scripting vulnerability in markdown interpreter of Apache Zeppelin allows an attacker to inject malicious scripts. This issue affects Apache Zeppelin Apache Zeppelin versions prior to 0.9.0.", }, { lang: "es", value: "Una vulnerabilidad de tipo Cross Site Scripting en el intérprete de markdown de Apache Zeppelin permite a un atacante inyectar scripts maliciosos. Este problema afecta a versiones de Apache Zeppelin anteriores a 0.9.0", }, ], id: "CVE-2021-27578", lastModified: "2024-11-21T05:58:13.630", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 4.3, confidentialityImpact: "NONE", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:N/C:N/I:P/A:N", version: "2.0", }, exploitabilityScore: 8.6, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: true, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.1, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 2.7, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2021-09-02T17:15:08.453", references: [ { source: "security@apache.org", tags: [ "Mailing List", "Third Party Advisory", ], url: "http://www.openwall.com/lists/oss-security/2021/09/02/3", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/r31012f2c8e39a5e12e14c1de030012cb8b51c037d953d73b291b7b50%40%3Cusers.zeppelin.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/r90590aa5ea788128ecc2e822e1e64d5200b4cb92b06707b38da4cb3d%40%3Cannounce.apache.org%3E", }, { source: "security@apache.org", tags: [ "Mailing List", "Vendor Advisory", ], url: "https://lists.apache.org/thread.html/r90590aa5ea788128ecc2e822e1e64d5200b4cb92b06707b38da4cb3d%40%3Cusers.zeppelin.apache.org%3E", }, { source: "security@apache.org", tags: [ "Mailing List", "Vendor Advisory", ], url: "https://lists.apache.org/thread.html/r90590aa5ea788128ecc2e822e1e64d5200b4cb92b06707b38da4cb3d%40%3Cusers.zeppelin.apache.org%3E", }, { source: "security@apache.org", url: "https://security.gentoo.org/glsa/202311-04", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", "Third Party Advisory", ], url: "http://www.openwall.com/lists/oss-security/2021/09/02/3", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r31012f2c8e39a5e12e14c1de030012cb8b51c037d953d73b291b7b50%40%3Cusers.zeppelin.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r90590aa5ea788128ecc2e822e1e64d5200b4cb92b06707b38da4cb3d%40%3Cannounce.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", "Vendor Advisory", ], url: "https://lists.apache.org/thread.html/r90590aa5ea788128ecc2e822e1e64d5200b4cb92b06707b38da4cb3d%40%3Cusers.zeppelin.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", "Vendor Advisory", ], url: "https://lists.apache.org/thread.html/r90590aa5ea788128ecc2e822e1e64d5200b4cb92b06707b38da4cb3d%40%3Cusers.zeppelin.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://security.gentoo.org/glsa/202311-04", }, ], sourceIdentifier: "security@apache.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-79", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
cve-2020-13929
Vulnerability from cvelistv5
Published
2021-09-02 00:00
Modified
2024-08-04 12:32
Severity ?
EPSS score ?
Summary
Authentication bypass vulnerability in Apache Zeppelin allows an attacker to bypass Zeppelin authentication mechanism to act as another user. This issue affects Apache Zeppelin Apache Zeppelin version 0.9.0 and prior versions.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Zeppelin |
Version: Apache Zeppelin < |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-04T12:32:14.441Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://lists.apache.org/thread.html/r768800925d6407a6a87ccae0ec98776b7bda50c0e3ed3d0130dad028%40%3Cusers.zeppelin.apache.org%3E", }, { name: "[zeppelin-users] 20210902 CVE-2020-13929: Apache Zeppelin: Notebook permissions bypass", tags: [ "mailing-list", "x_transferred", ], url: "https://lists.apache.org/thread.html/r768800925d6407a6a87ccae0ec98776b7bda50c0e3ed3d0130dad028%40%3Cusers.zeppelin.apache.org%3E", }, { name: "[oss-security] 20210902 CVE-2020-13929: Apache Zeppelin: Notebook permissions bypass", tags: [ "mailing-list", "x_transferred", ], url: "http://www.openwall.com/lists/oss-security/2021/09/02/2", }, { name: "[announce] 20210902 CVE-2020-13929: Apache Zeppelin: Notebook permissions bypass", tags: [ "mailing-list", "x_transferred", ], url: "https://lists.apache.org/thread.html/r768800925d6407a6a87ccae0ec98776b7bda50c0e3ed3d0130dad028%40%3Cannounce.apache.org%3E", }, { name: "[zeppelin-users] 20210928 Re: CVE-2020-13929: Apache Zeppelin: Notebook permissions bypass", tags: [ "mailing-list", "x_transferred", ], url: "https://lists.apache.org/thread.html/r99529e175a7c1c9a26bd41a02802c8af7aa97319fe561874627eb999%40%3Cusers.zeppelin.apache.org%3E", }, { name: "GLSA-202311-04", tags: [ "vendor-advisory", "x_transferred", ], url: "https://security.gentoo.org/glsa/202311-04", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "Apache Zeppelin", vendor: "Apache Software Foundation", versions: [ { lessThanOrEqual: "0.9.0", status: "affected", version: "Apache Zeppelin", versionType: "custom", }, ], }, ], credits: [ { lang: "en", value: "Apache Zeppelin would like to thank David Woodhouse for reporting this issue ", }, ], descriptions: [ { lang: "en", value: "Authentication bypass vulnerability in Apache Zeppelin allows an attacker to bypass Zeppelin authentication mechanism to act as another user. This issue affects Apache Zeppelin Apache Zeppelin version 0.9.0 and prior versions.", }, ], metrics: [ { other: { content: { other: "critical", }, type: "unknown", }, }, ], problemTypes: [ { descriptions: [ { description: "authentication bypass", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2023-11-24T14:06:22.066265", orgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", shortName: "apache", }, references: [ { url: "https://lists.apache.org/thread.html/r768800925d6407a6a87ccae0ec98776b7bda50c0e3ed3d0130dad028%40%3Cusers.zeppelin.apache.org%3E", }, { name: "[zeppelin-users] 20210902 CVE-2020-13929: Apache Zeppelin: Notebook permissions bypass", tags: [ "mailing-list", ], url: "https://lists.apache.org/thread.html/r768800925d6407a6a87ccae0ec98776b7bda50c0e3ed3d0130dad028%40%3Cusers.zeppelin.apache.org%3E", }, { name: "[oss-security] 20210902 CVE-2020-13929: Apache Zeppelin: Notebook permissions bypass", tags: [ "mailing-list", ], url: "http://www.openwall.com/lists/oss-security/2021/09/02/2", }, { name: "[announce] 20210902 CVE-2020-13929: Apache Zeppelin: Notebook permissions bypass", tags: [ "mailing-list", ], url: "https://lists.apache.org/thread.html/r768800925d6407a6a87ccae0ec98776b7bda50c0e3ed3d0130dad028%40%3Cannounce.apache.org%3E", }, { name: "[zeppelin-users] 20210928 Re: CVE-2020-13929: Apache Zeppelin: Notebook permissions bypass", tags: [ "mailing-list", ], url: "https://lists.apache.org/thread.html/r99529e175a7c1c9a26bd41a02802c8af7aa97319fe561874627eb999%40%3Cusers.zeppelin.apache.org%3E", }, { name: "GLSA-202311-04", tags: [ "vendor-advisory", ], url: "https://security.gentoo.org/glsa/202311-04", }, ], source: { discovery: "UNKNOWN", }, title: "Notebook permissions bypass", x_generator: { engine: "Vulnogram 0.0.9", }, }, }, cveMetadata: { assignerOrgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", assignerShortName: "apache", cveId: "CVE-2020-13929", datePublished: "2021-09-02T00:00:00", dateReserved: "2020-06-08T00:00:00", dateUpdated: "2024-08-04T12:32:14.441Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2018-1328
Vulnerability from cvelistv5
Published
2019-04-23 14:45
Modified
2024-08-05 03:59
Severity ?
EPSS score ?
Summary
Apache Zeppelin prior to 0.8.0 had a stored XSS issue via Note permissions. Issue reported by "Josna Joseph".
References
| ▼ | URL | Tags |
|---|---|---|
| https://lists.apache.org/thread.html/ff6b995a5a3ba8db4d6b14b4d9dd487e7bf2e3bdd5b375b64a25fd06%40%3Cusers.zeppelin.apache.org%3E | mailing-list, x_refsource_MLIST | |
| http://www.openwall.com/lists/oss-security/2019/04/23/1 | mailing-list, x_refsource_MLIST | |
| https://zeppelin.apache.org/releases/zeppelin-release-0.8.0.html | x_refsource_MISC | |
| http://www.securityfocus.com/bid/108047 | vdb-entry, x_refsource_BID |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Zeppelin |
Version: prior to 0.8.0 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-05T03:59:38.883Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "[zeppelin-users] 20190423 Issues fixed in previous releases of Apache Zeppelin 0.7.3 and 0.8.0 (CVE-2017-12619 CVE-2018-1317 CVE-2018-1328)", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/ff6b995a5a3ba8db4d6b14b4d9dd487e7bf2e3bdd5b375b64a25fd06%40%3Cusers.zeppelin.apache.org%3E", }, { name: "[oss-security] 20190423 Issues fixed in previous releases of Apache Zeppelin 0.7.3 and 0.8.0 (CVE-2017-12619 CVE-2018-1317 CVE-2018-1328)", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "http://www.openwall.com/lists/oss-security/2019/04/23/1", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://zeppelin.apache.org/releases/zeppelin-release-0.8.0.html", }, { name: "108047", tags: [ "vdb-entry", "x_refsource_BID", "x_transferred", ], url: "http://www.securityfocus.com/bid/108047", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "Apache Zeppelin", vendor: "Apache Software Foundation", versions: [ { status: "affected", version: "prior to 0.8.0", }, ], }, ], datePublic: "2019-04-23T00:00:00", descriptions: [ { lang: "en", value: "Apache Zeppelin prior to 0.8.0 had a stored XSS issue via Note permissions. Issue reported by \"Josna Joseph\".", }, ], problemTypes: [ { descriptions: [ { description: "Stored XSS", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2019-04-24T10:05:59", orgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", shortName: "apache", }, references: [ { name: "[zeppelin-users] 20190423 Issues fixed in previous releases of Apache Zeppelin 0.7.3 and 0.8.0 (CVE-2017-12619 CVE-2018-1317 CVE-2018-1328)", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/ff6b995a5a3ba8db4d6b14b4d9dd487e7bf2e3bdd5b375b64a25fd06%40%3Cusers.zeppelin.apache.org%3E", }, { name: "[oss-security] 20190423 Issues fixed in previous releases of Apache Zeppelin 0.7.3 and 0.8.0 (CVE-2017-12619 CVE-2018-1317 CVE-2018-1328)", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "http://www.openwall.com/lists/oss-security/2019/04/23/1", }, { tags: [ "x_refsource_MISC", ], url: "https://zeppelin.apache.org/releases/zeppelin-release-0.8.0.html", }, { name: "108047", tags: [ "vdb-entry", "x_refsource_BID", ], url: "http://www.securityfocus.com/bid/108047", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "security@apache.org", ID: "CVE-2018-1328", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "Apache Zeppelin", version: { version_data: [ { version_value: "prior to 0.8.0", }, ], }, }, ], }, vendor_name: "Apache Software Foundation", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Apache Zeppelin prior to 0.8.0 had a stored XSS issue via Note permissions. Issue reported by \"Josna Joseph\".", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "Stored XSS", }, ], }, ], }, references: { reference_data: [ { name: "[zeppelin-users] 20190423 Issues fixed in previous releases of Apache Zeppelin 0.7.3 and 0.8.0 (CVE-2017-12619 CVE-2018-1317 CVE-2018-1328)", refsource: "MLIST", url: "https://lists.apache.org/thread.html/ff6b995a5a3ba8db4d6b14b4d9dd487e7bf2e3bdd5b375b64a25fd06@%3Cusers.zeppelin.apache.org%3E", }, { name: "[oss-security] 20190423 Issues fixed in previous releases of Apache Zeppelin 0.7.3 and 0.8.0 (CVE-2017-12619 CVE-2018-1317 CVE-2018-1328)", refsource: "MLIST", url: "http://www.openwall.com/lists/oss-security/2019/04/23/1", }, { name: "https://zeppelin.apache.org/releases/zeppelin-release-0.8.0.html", refsource: "MISC", url: "https://zeppelin.apache.org/releases/zeppelin-release-0.8.0.html", }, { name: "108047", refsource: "BID", url: "http://www.securityfocus.com/bid/108047", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", assignerShortName: "apache", cveId: "CVE-2018-1328", datePublished: "2019-04-23T14:45:24", dateReserved: "2017-12-07T00:00:00", dateUpdated: "2024-08-05T03:59:38.883Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2021-28655
Vulnerability from cvelistv5
Published
2022-12-16 12:51
Modified
2024-08-03 21:47
Severity ?
EPSS score ?
Summary
The improper Input Validation vulnerability in "”Move folder to Trash” feature of Apache Zeppelin allows an attacker to delete the arbitrary files. This issue affects Apache Zeppelin Apache Zeppelin version 0.9.0 and prior versions.
References
| ▼ | URL | Tags |
|---|---|---|
| https://lists.apache.org/thread/bxs056g3xlsofz0jb3wny9dw4llwptd2 | vendor-advisory |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Zeppelin |
Version: 0 < |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T21:47:33.056Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "vendor-advisory", "x_transferred", ], url: "https://lists.apache.org/thread/bxs056g3xlsofz0jb3wny9dw4llwptd2", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Apache Zeppelin", vendor: "Apache Software Foundation", versions: [ { lessThanOrEqual: "0.9.0", status: "affected", version: "0", versionType: "custom", }, ], }, ], credits: [ { lang: "en", type: "finder", value: "Kai Zhao", }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "The improper Input Validation vulnerability in \"”Move folder to Trash” feature of Apache Zeppelin allows an attacker to delete the arbitrary files. This issue affects Apache Zeppelin Apache Zeppelin version 0.9.0 and prior versions.", }, ], value: "The improper Input Validation vulnerability in \"”Move folder to Trash” feature of Apache Zeppelin allows an attacker to delete the arbitrary files. This issue affects Apache Zeppelin Apache Zeppelin version 0.9.0 and prior versions.", }, ], metrics: [ { other: { content: { text: "important", }, type: "Textual description of severity", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-20", description: "CWE-20 Improper Input Validation", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2022-12-19T12:55:19.145Z", orgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", shortName: "apache", }, references: [ { tags: [ "vendor-advisory", ], url: "https://lists.apache.org/thread/bxs056g3xlsofz0jb3wny9dw4llwptd2", }, ], source: { discovery: "UNKNOWN", }, title: "Apache Zeppelin: Arbitrary file deletion vulnerability", x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", assignerShortName: "apache", cveId: "CVE-2021-28655", datePublished: "2022-12-16T12:51:51.927Z", dateReserved: "2021-03-17T08:27:06.184Z", dateUpdated: "2024-08-03T21:47:33.056Z", requesterUserId: "01d7ebfd-4418-401d-b8e4-f5ae3da29160", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2017-12619
Vulnerability from cvelistv5
Published
2019-04-23 14:45
Modified
2024-08-05 18:43
Severity ?
EPSS score ?
Summary
Apache Zeppelin prior to 0.7.3 was vulnerable to session fixation which allowed an attacker to hijack a valid user session. Issue was reported by "stone lone".
References
| ▼ | URL | Tags |
|---|---|---|
| https://lists.apache.org/thread.html/ff6b995a5a3ba8db4d6b14b4d9dd487e7bf2e3bdd5b375b64a25fd06%40%3Cusers.zeppelin.apache.org%3E | mailing-list, x_refsource_MLIST | |
| http://www.openwall.com/lists/oss-security/2019/04/23/1 | mailing-list, x_refsource_MLIST | |
| https://zeppelin.apache.org/releases/zeppelin-release-0.7.3.html | x_refsource_MISC | |
| http://www.securityfocus.com/bid/108050 | vdb-entry, x_refsource_BID |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Zeppelin |
Version: prior to 0.7.3 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-05T18:43:56.428Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "[zeppelin-users] 20190423 Issues fixed in previous releases of Apache Zeppelin 0.7.3 and 0.8.0 (CVE-2017-12619 CVE-2018-1317 CVE-2018-1328)", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/ff6b995a5a3ba8db4d6b14b4d9dd487e7bf2e3bdd5b375b64a25fd06%40%3Cusers.zeppelin.apache.org%3E", }, { name: "[oss-security] 20190423 Issues fixed in previous releases of Apache Zeppelin 0.7.3 and 0.8.0 (CVE-2017-12619 CVE-2018-1317 CVE-2018-1328)", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "http://www.openwall.com/lists/oss-security/2019/04/23/1", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://zeppelin.apache.org/releases/zeppelin-release-0.7.3.html", }, { name: "108050", tags: [ "vdb-entry", "x_refsource_BID", "x_transferred", ], url: "http://www.securityfocus.com/bid/108050", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "Apache Zeppelin", vendor: "Apache Software Foundation", versions: [ { status: "affected", version: "prior to 0.7.3", }, ], }, ], datePublic: "2019-04-23T00:00:00", descriptions: [ { lang: "en", value: "Apache Zeppelin prior to 0.7.3 was vulnerable to session fixation which allowed an attacker to hijack a valid user session. Issue was reported by \"stone lone\".", }, ], problemTypes: [ { descriptions: [ { description: "Session Fixation", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2019-04-24T10:05:59", orgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", shortName: "apache", }, references: [ { name: "[zeppelin-users] 20190423 Issues fixed in previous releases of Apache Zeppelin 0.7.3 and 0.8.0 (CVE-2017-12619 CVE-2018-1317 CVE-2018-1328)", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/ff6b995a5a3ba8db4d6b14b4d9dd487e7bf2e3bdd5b375b64a25fd06%40%3Cusers.zeppelin.apache.org%3E", }, { name: "[oss-security] 20190423 Issues fixed in previous releases of Apache Zeppelin 0.7.3 and 0.8.0 (CVE-2017-12619 CVE-2018-1317 CVE-2018-1328)", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "http://www.openwall.com/lists/oss-security/2019/04/23/1", }, { tags: [ "x_refsource_MISC", ], url: "https://zeppelin.apache.org/releases/zeppelin-release-0.7.3.html", }, { name: "108050", tags: [ "vdb-entry", "x_refsource_BID", ], url: "http://www.securityfocus.com/bid/108050", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "security@apache.org", ID: "CVE-2017-12619", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "Apache Zeppelin", version: { version_data: [ { version_value: "prior to 0.7.3", }, ], }, }, ], }, vendor_name: "Apache Software Foundation", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Apache Zeppelin prior to 0.7.3 was vulnerable to session fixation which allowed an attacker to hijack a valid user session. Issue was reported by \"stone lone\".", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "Session Fixation", }, ], }, ], }, references: { reference_data: [ { name: "[zeppelin-users] 20190423 Issues fixed in previous releases of Apache Zeppelin 0.7.3 and 0.8.0 (CVE-2017-12619 CVE-2018-1317 CVE-2018-1328)", refsource: "MLIST", url: "https://lists.apache.org/thread.html/ff6b995a5a3ba8db4d6b14b4d9dd487e7bf2e3bdd5b375b64a25fd06@%3Cusers.zeppelin.apache.org%3E", }, { name: "[oss-security] 20190423 Issues fixed in previous releases of Apache Zeppelin 0.7.3 and 0.8.0 (CVE-2017-12619 CVE-2018-1317 CVE-2018-1328)", refsource: "MLIST", url: "http://www.openwall.com/lists/oss-security/2019/04/23/1", }, { name: "https://zeppelin.apache.org/releases/zeppelin-release-0.7.3.html", refsource: "MISC", url: "https://zeppelin.apache.org/releases/zeppelin-release-0.7.3.html", }, { name: "108050", refsource: "BID", url: "http://www.securityfocus.com/bid/108050", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", assignerShortName: "apache", cveId: "CVE-2017-12619", datePublished: "2019-04-23T14:45:16", dateReserved: "2017-08-07T00:00:00", dateUpdated: "2024-08-05T18:43:56.428Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-31863
Vulnerability from cvelistv5
Published
2024-04-09 10:25
Modified
2025-03-25 18:21
Severity ?
EPSS score ?
Summary
Authentication Bypass by Spoofing vulnerability by replacing to exsiting notes in Apache Zeppelin.This issue affects Apache Zeppelin: from 0.10.1 before 0.11.0.
Users are recommended to upgrade to version 0.11.0, which fixes the issue.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Zeppelin |
Version: 0.10.1 ≤ |
{ containers: { adp: [ { affected: [ { cpes: [ "cpe:2.3:a:apache:zeppelin:0.10.1:*:*:*:*:*:*:*", ], defaultStatus: "unknown", product: "zeppelin", vendor: "apache", versions: [ { lessThan: "0.11.0", status: "affected", version: "0.10.1", versionType: "custom", }, ], }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", version: "3.1", }, }, { other: { content: { id: "CVE-2024-31863", options: [ { Exploitation: "none", }, { Automatable: "yes", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2025-03-25T18:20:37.629974Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2025-03-25T18:21:05.668Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, { providerMetadata: { dateUpdated: "2024-08-02T01:59:50.072Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "vendor-advisory", "x_transferred", ], url: "https://lists.apache.org/thread/3od2gfpwllmtc9c5ggw04ohn8s7w3ct9", }, { tags: [ "x_transferred", ], url: "http://www.openwall.com/lists/oss-security/2024/04/09/6", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { collectionURL: "https://repo.maven.apache.org/maven2", defaultStatus: "unaffected", packageName: "org.apache.zeppelin:zeppelin-server", product: "Apache Zeppelin", vendor: "Apache Software Foundation", versions: [ { lessThan: "0.11.0", status: "affected", version: "0.10.1", versionType: "semver", }, ], }, ], credits: [ { lang: "en", type: "finder", value: "Esa Hiltunen", }, { lang: "en", type: "finder", value: "https://teragrep.com", }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "Authentication Bypass by Spoofing vulnerability by replacing to exsiting notes in Apache Zeppelin.<p>This issue affects Apache Zeppelin: from 0.10.1 before 0.11.0.</p><p>Users are recommended to upgrade to version 0.11.0, which fixes the issue.</p>", }, ], value: "Authentication Bypass by Spoofing vulnerability by replacing to exsiting notes in Apache Zeppelin.This issue affects Apache Zeppelin: from 0.10.1 before 0.11.0.\n\nUsers are recommended to upgrade to version 0.11.0, which fixes the issue.", }, ], metrics: [ { other: { content: { text: "moderate", }, type: "Textual description of severity", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-290", description: "CWE-290 Authentication Bypass by Spoofing", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2024-05-01T18:11:32.685Z", orgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", shortName: "apache", }, references: [ { tags: [ "vendor-advisory", ], url: "https://lists.apache.org/thread/3od2gfpwllmtc9c5ggw04ohn8s7w3ct9", }, { url: "http://www.openwall.com/lists/oss-security/2024/04/09/6", }, ], source: { discovery: "UNKNOWN", }, title: "Apache Zeppelin: Replacing other users notebook, bypassing any permissions", x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", assignerShortName: "apache", cveId: "CVE-2024-31863", datePublished: "2024-04-09T10:25:29.449Z", dateReserved: "2024-04-06T11:50:24.687Z", dateUpdated: "2025-03-25T18:21:05.668Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-46870
Vulnerability from cvelistv5
Published
2022-12-16 12:55
Modified
2024-08-03 14:39
Severity ?
EPSS score ?
Summary
An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache Zeppelin allows logged-in users to execute arbitrary javascript in other users' browsers.
This issue affects Apache Zeppelin before 0.8.2. Users are recommended to upgrade to a supported version of Zeppelin.
References
| ▼ | URL | Tags |
|---|---|---|
| https://lists.apache.org/thread/gb1wdnrm1095xw6qznpsycfrht4lwbwc | vendor-advisory |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Zeppelin |
Version: 0 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T14:39:39.095Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "vendor-advisory", "x_transferred", ], url: "https://lists.apache.org/thread/gb1wdnrm1095xw6qznpsycfrht4lwbwc", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Apache Zeppelin", vendor: "Apache Software Foundation", versions: [ { lessThan: "0.8.2", status: "affected", version: "0", versionType: "maven", }, ], }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache Zeppelin allows logged-in users to execute arbitrary javascript in other users' browsers.<br><p>This issue affects Apache Zeppelin before 0.8.2. Users are recommended to upgrade to a supported version of Zeppelin.<br></p>", }, ], value: "An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache Zeppelin allows logged-in users to execute arbitrary javascript in other users' browsers.\nThis issue affects Apache Zeppelin before 0.8.2. Users are recommended to upgrade to a supported version of Zeppelin.\n\n\n", }, ], metrics: [ { other: { content: { text: "moderate", }, type: "Textual description of severity", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-79", description: "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2022-12-16T12:55:37.597Z", orgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", shortName: "apache", }, references: [ { tags: [ "vendor-advisory", ], url: "https://lists.apache.org/thread/gb1wdnrm1095xw6qznpsycfrht4lwbwc", }, ], source: { defect: [ "ZEPPELIN-4333", ], discovery: "UNKNOWN", }, title: "Apache Zeppelin: Stored XSS in note permissions", x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", assignerShortName: "apache", cveId: "CVE-2022-46870", datePublished: "2022-12-16T12:55:37.597Z", dateReserved: "2022-12-09T14:04:31.289Z", dateUpdated: "2024-08-03T14:39:39.095Z", requesterUserId: "cf81350d-439c-4450-9d42-0a054bb6b6c9", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2021-27578
Vulnerability from cvelistv5
Published
2021-09-02 00:00
Modified
2024-08-03 21:26
Severity ?
EPSS score ?
Summary
Cross Site Scripting vulnerability in markdown interpreter of Apache Zeppelin allows an attacker to inject malicious scripts. This issue affects Apache Zeppelin Apache Zeppelin versions prior to 0.9.0.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Zeppelin |
Version: Apache Zeppelin < 0.9.0 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T21:26:09.867Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://lists.apache.org/thread.html/r90590aa5ea788128ecc2e822e1e64d5200b4cb92b06707b38da4cb3d%40%3Cusers.zeppelin.apache.org%3E", }, { name: "[zeppelin-users] 20210902 CVE-2021-27578: Apache Zeppelin: Cross Site Scripting in markdown interpreter", tags: [ "mailing-list", "x_transferred", ], url: "https://lists.apache.org/thread.html/r90590aa5ea788128ecc2e822e1e64d5200b4cb92b06707b38da4cb3d%40%3Cusers.zeppelin.apache.org%3E", }, { name: "[oss-security] 20210902 CVE-2021-27578: Apache Zeppelin: Cross Site Scripting in markdown interpreter", tags: [ "mailing-list", "x_transferred", ], url: "http://www.openwall.com/lists/oss-security/2021/09/02/3", }, { name: "[announce] 20210902 CVE-2021-27578: Apache Zeppelin: Cross Site Scripting in markdown interpreter", tags: [ "mailing-list", "x_transferred", ], url: "https://lists.apache.org/thread.html/r90590aa5ea788128ecc2e822e1e64d5200b4cb92b06707b38da4cb3d%40%3Cannounce.apache.org%3E", }, { name: "[zeppelin-users] 20210928 Re: CVE-2021-27578: Apache Zeppelin: Cross Site Scripting in markdown interpreter", tags: [ "mailing-list", "x_transferred", ], url: "https://lists.apache.org/thread.html/r31012f2c8e39a5e12e14c1de030012cb8b51c037d953d73b291b7b50%40%3Cusers.zeppelin.apache.org%3E", }, { name: "GLSA-202311-04", tags: [ "vendor-advisory", "x_transferred", ], url: "https://security.gentoo.org/glsa/202311-04", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "Apache Zeppelin", vendor: "Apache Software Foundation", versions: [ { lessThan: "0.9.0", status: "affected", version: "Apache Zeppelin", versionType: "custom", }, ], }, ], credits: [ { lang: "en", value: "Apache Zeppelin would like to thank Paulo Pacheco for reporting this issue ", }, ], descriptions: [ { lang: "en", value: "Cross Site Scripting vulnerability in markdown interpreter of Apache Zeppelin allows an attacker to inject malicious scripts. This issue affects Apache Zeppelin Apache Zeppelin versions prior to 0.9.0.", }, ], problemTypes: [ { descriptions: [ { description: "Cross Site Scripting", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2023-11-24T14:06:23.771497", orgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", shortName: "apache", }, references: [ { url: "https://lists.apache.org/thread.html/r90590aa5ea788128ecc2e822e1e64d5200b4cb92b06707b38da4cb3d%40%3Cusers.zeppelin.apache.org%3E", }, { name: "[zeppelin-users] 20210902 CVE-2021-27578: Apache Zeppelin: Cross Site Scripting in markdown interpreter", tags: [ "mailing-list", ], url: "https://lists.apache.org/thread.html/r90590aa5ea788128ecc2e822e1e64d5200b4cb92b06707b38da4cb3d%40%3Cusers.zeppelin.apache.org%3E", }, { name: "[oss-security] 20210902 CVE-2021-27578: Apache Zeppelin: Cross Site Scripting in markdown interpreter", tags: [ "mailing-list", ], url: "http://www.openwall.com/lists/oss-security/2021/09/02/3", }, { name: "[announce] 20210902 CVE-2021-27578: Apache Zeppelin: Cross Site Scripting in markdown interpreter", tags: [ "mailing-list", ], url: "https://lists.apache.org/thread.html/r90590aa5ea788128ecc2e822e1e64d5200b4cb92b06707b38da4cb3d%40%3Cannounce.apache.org%3E", }, { name: "[zeppelin-users] 20210928 Re: CVE-2021-27578: Apache Zeppelin: Cross Site Scripting in markdown interpreter", tags: [ "mailing-list", ], url: "https://lists.apache.org/thread.html/r31012f2c8e39a5e12e14c1de030012cb8b51c037d953d73b291b7b50%40%3Cusers.zeppelin.apache.org%3E", }, { name: "GLSA-202311-04", tags: [ "vendor-advisory", ], url: "https://security.gentoo.org/glsa/202311-04", }, ], source: { discovery: "UNKNOWN", }, title: "Cross Site Scripting in markdown interpreter", x_generator: { engine: "Vulnogram 0.0.9", }, }, }, cveMetadata: { assignerOrgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", assignerShortName: "apache", cveId: "CVE-2021-27578", datePublished: "2021-09-02T00:00:00", dateReserved: "2021-02-23T00:00:00", dateUpdated: "2024-08-03T21:26:09.867Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2018-1317
Vulnerability from cvelistv5
Published
2019-04-23 14:45
Modified
2024-08-05 03:59
Severity ?
EPSS score ?
Summary
In Apache Zeppelin prior to 0.8.0 the cron scheduler was enabled by default and could allow users to run paragraphs as other users without authentication.
References
| ▼ | URL | Tags |
|---|---|---|
| https://lists.apache.org/thread.html/ff6b995a5a3ba8db4d6b14b4d9dd487e7bf2e3bdd5b375b64a25fd06%40%3Cusers.zeppelin.apache.org%3E | mailing-list, x_refsource_MLIST | |
| http://www.openwall.com/lists/oss-security/2019/04/23/1 | mailing-list, x_refsource_MLIST | |
| https://zeppelin.apache.org/releases/zeppelin-release-0.8.0.html | x_refsource_MISC | |
| http://www.securityfocus.com/bid/108047 | vdb-entry, x_refsource_BID |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Zeppelin |
Version: prior to 0.8.0 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-05T03:59:38.240Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "[zeppelin-users] 20190423 Issues fixed in previous releases of Apache Zeppelin 0.7.3 and 0.8.0 (CVE-2017-12619 CVE-2018-1317 CVE-2018-1328)", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/ff6b995a5a3ba8db4d6b14b4d9dd487e7bf2e3bdd5b375b64a25fd06%40%3Cusers.zeppelin.apache.org%3E", }, { name: "[oss-security] 20190423 Issues fixed in previous releases of Apache Zeppelin 0.7.3 and 0.8.0 (CVE-2017-12619 CVE-2018-1317 CVE-2018-1328)", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "http://www.openwall.com/lists/oss-security/2019/04/23/1", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://zeppelin.apache.org/releases/zeppelin-release-0.8.0.html", }, { name: "108047", tags: [ "vdb-entry", "x_refsource_BID", "x_transferred", ], url: "http://www.securityfocus.com/bid/108047", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "Apache Zeppelin", vendor: "Apache Software Foundation", versions: [ { status: "affected", version: "prior to 0.8.0", }, ], }, ], datePublic: "2019-04-23T00:00:00", descriptions: [ { lang: "en", value: "In Apache Zeppelin prior to 0.8.0 the cron scheduler was enabled by default and could allow users to run paragraphs as other users without authentication.", }, ], problemTypes: [ { descriptions: [ { description: "Improper Authentication", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2019-04-24T10:05:59", orgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", shortName: "apache", }, references: [ { name: "[zeppelin-users] 20190423 Issues fixed in previous releases of Apache Zeppelin 0.7.3 and 0.8.0 (CVE-2017-12619 CVE-2018-1317 CVE-2018-1328)", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/ff6b995a5a3ba8db4d6b14b4d9dd487e7bf2e3bdd5b375b64a25fd06%40%3Cusers.zeppelin.apache.org%3E", }, { name: "[oss-security] 20190423 Issues fixed in previous releases of Apache Zeppelin 0.7.3 and 0.8.0 (CVE-2017-12619 CVE-2018-1317 CVE-2018-1328)", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "http://www.openwall.com/lists/oss-security/2019/04/23/1", }, { tags: [ "x_refsource_MISC", ], url: "https://zeppelin.apache.org/releases/zeppelin-release-0.8.0.html", }, { name: "108047", tags: [ "vdb-entry", "x_refsource_BID", ], url: "http://www.securityfocus.com/bid/108047", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "security@apache.org", ID: "CVE-2018-1317", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "Apache Zeppelin", version: { version_data: [ { version_value: "prior to 0.8.0", }, ], }, }, ], }, vendor_name: "Apache Software Foundation", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "In Apache Zeppelin prior to 0.8.0 the cron scheduler was enabled by default and could allow users to run paragraphs as other users without authentication.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "Improper Authentication", }, ], }, ], }, references: { reference_data: [ { name: "[zeppelin-users] 20190423 Issues fixed in previous releases of Apache Zeppelin 0.7.3 and 0.8.0 (CVE-2017-12619 CVE-2018-1317 CVE-2018-1328)", refsource: "MLIST", url: "https://lists.apache.org/thread.html/ff6b995a5a3ba8db4d6b14b4d9dd487e7bf2e3bdd5b375b64a25fd06@%3Cusers.zeppelin.apache.org%3E", }, { name: "[oss-security] 20190423 Issues fixed in previous releases of Apache Zeppelin 0.7.3 and 0.8.0 (CVE-2017-12619 CVE-2018-1317 CVE-2018-1328)", refsource: "MLIST", url: "http://www.openwall.com/lists/oss-security/2019/04/23/1", }, { name: "https://zeppelin.apache.org/releases/zeppelin-release-0.8.0.html", refsource: "MISC", url: "https://zeppelin.apache.org/releases/zeppelin-release-0.8.0.html", }, { name: "108047", refsource: "BID", url: "http://www.securityfocus.com/bid/108047", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", assignerShortName: "apache", cveId: "CVE-2018-1317", datePublished: "2019-04-23T14:45:20", dateReserved: "2017-12-07T00:00:00", dateUpdated: "2024-08-05T03:59:38.240Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2019-10095
Vulnerability from cvelistv5
Published
2021-09-02 00:00
Modified
2024-08-04 22:10
Severity ?
EPSS score ?
Summary
bash command injection vulnerability in Apache Zeppelin allows an attacker to inject system commands into Spark interpreter settings. This issue affects Apache Zeppelin Apache Zeppelin version 0.9.0 and prior versions.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Zeppelin |
Version: Apache Zeppelin < |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-04T22:10:09.552Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://lists.apache.org/thread.html/rdf06e8423833b3daadc30c56a2ff47c48920864d5199476daa897208%40%3Cusers.zeppelin.apache.org%3E", }, { name: "[zeppelin-users] 20210902 CVE-2019-10095: Apache Zeppelin: bash command injection in spark interpreter", tags: [ "mailing-list", "x_transferred", ], url: "https://lists.apache.org/thread.html/rdf06e8423833b3daadc30c56a2ff47c48920864d5199476daa897208%40%3Cusers.zeppelin.apache.org%3E", }, { name: "[oss-security] 20210902 CVE-2019-10095: Apache Zeppelin: bash command injection in spark interpreter", tags: [ "mailing-list", "x_transferred", ], url: "http://www.openwall.com/lists/oss-security/2021/09/02/1", }, { name: "[announce] 20210902 CVE-2019-10095: Apache Zeppelin: bash command injection in spark interpreter", tags: [ "mailing-list", "x_transferred", ], url: "https://lists.apache.org/thread.html/rdf06e8423833b3daadc30c56a2ff47c48920864d5199476daa897208%40%3Cannounce.apache.org%3E", }, { name: "[zeppelin-users] 20210928 Re: CVE-2019-10095: Apache Zeppelin: bash command injection in spark interpreter", tags: [ "mailing-list", "x_transferred", ], url: "https://lists.apache.org/thread.html/rd56389ba9cab30a6c976b9a4a6df0f85cbe8fba6a60a3cf6e3ba716b%40%3Cusers.zeppelin.apache.org%3E", }, { name: "GLSA-202311-04", tags: [ "vendor-advisory", "x_transferred", ], url: "https://security.gentoo.org/glsa/202311-04", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "Apache Zeppelin", vendor: "Apache Software Foundation", versions: [ { lessThanOrEqual: "0.9.0", status: "affected", version: "Apache Zeppelin", versionType: "custom", }, ], }, ], credits: [ { lang: "en", value: "Apache Zeppelin would like to thank HERE Security team for reporting this issue ", }, ], descriptions: [ { lang: "en", value: "bash command injection vulnerability in Apache Zeppelin allows an attacker to inject system commands into Spark interpreter settings. This issue affects Apache Zeppelin Apache Zeppelin version 0.9.0 and prior versions.", }, ], problemTypes: [ { descriptions: [ { description: "bash command injection", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2023-11-24T14:06:20.416462", orgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", shortName: "apache", }, references: [ { url: "https://lists.apache.org/thread.html/rdf06e8423833b3daadc30c56a2ff47c48920864d5199476daa897208%40%3Cusers.zeppelin.apache.org%3E", }, { name: "[zeppelin-users] 20210902 CVE-2019-10095: Apache Zeppelin: bash command injection in spark interpreter", tags: [ "mailing-list", ], url: "https://lists.apache.org/thread.html/rdf06e8423833b3daadc30c56a2ff47c48920864d5199476daa897208%40%3Cusers.zeppelin.apache.org%3E", }, { name: "[oss-security] 20210902 CVE-2019-10095: Apache Zeppelin: bash command injection in spark interpreter", tags: [ "mailing-list", ], url: "http://www.openwall.com/lists/oss-security/2021/09/02/1", }, { name: "[announce] 20210902 CVE-2019-10095: Apache Zeppelin: bash command injection in spark interpreter", tags: [ "mailing-list", ], url: "https://lists.apache.org/thread.html/rdf06e8423833b3daadc30c56a2ff47c48920864d5199476daa897208%40%3Cannounce.apache.org%3E", }, { name: "[zeppelin-users] 20210928 Re: CVE-2019-10095: Apache Zeppelin: bash command injection in spark interpreter", tags: [ "mailing-list", ], url: "https://lists.apache.org/thread.html/rd56389ba9cab30a6c976b9a4a6df0f85cbe8fba6a60a3cf6e3ba716b%40%3Cusers.zeppelin.apache.org%3E", }, { name: "GLSA-202311-04", tags: [ "vendor-advisory", ], url: "https://security.gentoo.org/glsa/202311-04", }, ], source: { discovery: "UNKNOWN", }, title: "bash command injection in spark interpreter", x_generator: { engine: "Vulnogram 0.0.9", }, }, }, cveMetadata: { assignerOrgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", assignerShortName: "apache", cveId: "CVE-2019-10095", datePublished: "2021-09-02T00:00:00", dateReserved: "2019-03-26T00:00:00", dateUpdated: "2024-08-04T22:10:09.552Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }