22 matches found
CVE-2024-31860
CVE-2024-31860 affects Apache Zeppelin through an improper input validation flaw that enables path traversal via relative paths (e.g., ..). The issue allows an attacker to view files on the server filesystem that the Zeppelin server account can access. Affected range: Zeppelin 0.9.0 up to before ...
CVE-2019-10095
Apache Zeppelin
CVE-2024-31865
CVE-2024-31865 affects Apache Zeppelin due to an Improper Input Validation in the cron API, allowing arbitrary user impersonation with insufficient privileges. Affected versions are 0.8.2 up to before 0.11.1; upgrading to 0.11.1 or later fixes the issue. The CVE entry and linked sources (Red Hat,...
CVE-2022-46870
CVEs summary: CVE-2022-46870 is a cross-site scripting (XSS) vulnerability in Apache Zeppelin up to version 0.8.2. The issue stems from improper neutralization of input during web page generation, allowing logged-in users to execute arbitrary JavaScript in other users’ browsers. Affected product:...
CVE-2018-1328
CVE-2018-1328 affects Apache Zeppelin prior to 0.8.0, where a stored XSS flaw exists via Note permissions. The root cause is unsanitized input in Note handling that can trigger script execution. Impact is user-facing XSS; remediation is upgrading Zeppelin to 0.8.0 or later (or applying equivalent...
CVE-2020-13929
Apache Zeppelin = 0.10.1. If upgrading is not feasible, apply vendor/workaround guidance from the advisory. Note: exploitation details are not provided in the sources; no in-the-wild exploit data is included in the documents beyond the stated vulnerability description. Further public technical de...
CVE-2024-31863
CVE-2024-31863 affects Apache Zeppelin. The vulnerability allows authentication bypass by spoofing through replacing existing notes/annotations, effectively bypassing permissions. Affected: Zeppelin 0.10.1 before 0.11.0. Impact: potential unauthorized access via note/annotation replacement. Mitig...
CVE-2024-31864
CVE-2024-31864 affects Apache Zeppelin prior to 0.11.1, enabling code injection when establishing a MySQL JDBC connection. The issue is described as improper control of generation of code, with a CVSS v3.1 base score of 9.8 (Network, HIGH impact on confidentiality, integrity, and availability). T...
CVE-2018-1317
CVE-2018-1317 affects Apache Zeppelin prior to 0.8.0, where the cron scheduler was enabled by default. This could allow users to run paragraphs as other users without authentication, constituting an authentication bypass. The documented remediation is to upgrade to Zeppelin 0.8.0 or later, which ...
CVE-2022-47894
Apache Zeppelin SAP contains an input validation weakness (related to XML processing) that affects versions 0.8.0 through 0.11.0 (per sources noting 0.8.0–0.11.0). The root cause is improper XML validation, which in some sources is described as XML External Entity (XXE) related. Impact statements...
CVE-2021-27578
CVE-2021-27578 is a Cross Site Scripting vulnerability in the Markdown interpreter of Apache Zeppelin. Affected product: Apache Zeppelin (web-based notebook). Affected version: prior to 0.9.0. Root cause: XSS in the markdown interpreter that allows an attacker to inject malicious scripts. Impact:...
CVE-2024-31862
CVE-2024-31862 affects Apache Zeppelin (0.10.1–before 0.11.0) and is due to improper input validation when creating a new note via the Zeppelin UI. The issue is described across multiple sources as an input validation error with potential impact limited to availability (Low) and no confidentialit...
CVE-2017-12619
CVE-2017-12619 affects Apache Zeppelin prior to 0.7.3, where a session fixation flaw could allow an attacker to hijack a valid user session. The issue is documented across multiple sources (NVD entry for CVE-2017-12619 and OSV/GHSA advisories) and is commonly described as a session fixation vulne...
CVE-2021-28656
CVE-2021-28656 corresponds to a CSRF issue in the Credential page of Apache Zeppelin (affected versions: 0.9.0 and prior). The root cause cited across sources is inadequate validation of requests, enabling an attacker to submit malicious requests (e.g., via phishing). Several connected documents ...
CVE-2024-31867
CVE-2024-31867 – Apache Zeppelin LDAP search filter injection indicates an improper input validation vulnerability in Zeppelin. The issue allows an attacker to execute malicious queries by manipulating LDAP search filter configuration properties, affecting Zeppelin versions from 0.8.2 up to, but ...
CVE-2024-31868
CVE-2024-31868 affects Apache Zeppelin: improper encoding/escaping in the helium module enables cross-site scripting by modifying helium.json. Impact described as user-facing XSS; affects 0.8.2–0.11.0, fixed in 0.11.1. Remediation: upgrade to Zeppelin 0.11.1 or later. Other sources (Red Hat, Vera...
CVE-2024-31866
CVE-2024-31866 is an Apache Zeppelin vulnerability: improper encoding/escaping of output allowing an attacker to override configuration (notably ZEPPELIN_INTP_CLASSPATH_OVERRIDES) to execute shell commands or malicious code. Affects Zeppelin releases from 0.8.2 up to but not including 0.11.1; upg...
CVE-2021-28655
CVE-2021-28655 (Apache Zeppelin) describes an improper input validation in the Move folder to Trash feature, enabling an attacker to delete arbitrary files. Affected product: Apache Zeppelin, version 0.9.0 and prior. Root cause: input validation flaw in the Move folder to Trash flow (NotebookServ...
CVE-2024-41169
The CVE concerns Apache Zeppelin (versions 0.10.1–0.12.0) where an unauthenticated raft server protocol can expose server resources, including directories and files. Root cause details in connected data indicate the raft-enabled components allow unauthenticated access, enabling an attacker to vie...
CVE-2024-51775
CVE-2024-51775 describes a Missing Origin Validation in WebSockets vulnerability affecting Apache Zeppelin (versions 0.11.1 up to, but not including, 0.12.0). The issue allows a client from another origin to connect to Zeppelin’s WebSocket server and access internal information about paragraphs, ...
CVE-2024-52279
CVE-2024-52279 affects Apache Zeppelin (0.11.1 before 0.12.0). The issue is an improper input validation in the JDBC URL handling that did not account for URL-encoded input, enabling an attack via a malicious JDBC connection string and potentially leading to arbitrary file read. The evidence link...
CVE-2024-41177
CVE-2024-41177 affects Apache Zeppelin (Helium module) up to version 0.12.0. The issue is an Incomplete Blacklist to Cross-Site Scripting vulnerability in the Helium module, allowing XSS via insufficient input validation. The recommended remediation is to upgrade org.apache.zeppelin:zeppelin-web ...