Exposure of Sensitive System Information to an Unauthorized Control Sphere

Overview org.apache.zeppelin:zeppelin-server is a web-based notebook that enables interactive data analytics. You can make beautiful data-driven, interactive and collaborative documents with SQL, Scala and more. Affected versions of this package are vulnerable to Exposure of Sensitive System...

Denial Of Service (DoS)

org.apache.zeppelin:zeppelin-server is vulnerable to Improper Input Validation. The vulnerability is due to insufficient note path validation, which allows an attacker to cause Denial of Service...

Path Traversal

org.apache.zeppelin: zeppelin-server is vulnerable to Path Traversal. The vulnerability is due to improper sanitization of user-supplied input, allowing attackers to use relative paths e.g., ".." to access files on the server's filesystem that the server account has permissions to access...

Arbitrary File Deletion

zeppelin-server is vulnerable to Arbitrary File Deletion. The vulnerability exists due to the improper input validation in the moveFolderToTrash function of NotebookService.java, allowing an attacker to delete arbitrary files...

SQL Injection

zeppelin-server is vulnerable to SQL injection attacks. It does not sanitized the username but directly getting input from user in the SQL query when retrieving a user list through rest. If an attacker was able to save a username with SQL code in it, this would get executed when the list was bein...

SQL Injection

zeppelin-server is vulnerable to SQL injection attacks. The username value is used directly in a SQL statement when retrieving a user list through rest. If an attacker was able to save a username with SQL code in it, this would get executed when the list was being retrieved...

Cross-Site WebSocket Hijack

zeppelin-server is vulnerable to cross-site websocket hijacking because the websockets are not restrained by the same-origin policy. This could allow an attacker to create a malicious website and trick the user into opening it...