CVE-2022-46870

2022-12-1613:15:09

CWE-79

[email protected]

web.nvd.nist.gov

cve

apache zeppelin

cross-site scripting

xss

vulnerability

security

update

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

5.8 Medium

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

56.6%

JSON

An Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Apache Zeppelin allows logged-in users to execute arbitrary javascript in other users’ browsers.
This issue affects Apache Zeppelin before 0.8.2. Users are recommended to upgrade to a supported version of Zeppelin.

Affected configurations

Vulners

NVD

Node

apachezeppelinRange≤0.8.2

CPENameOperatorVersion
apache:zeppelinapache zeppelinlt0.8.2

CPE	Name	Operator	Version
apache:zeppelin	apache zeppelin	lt	0.8.2

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "Apache Zeppelin",
    "vendor": "Apache Software Foundation",
    "versions": [
      {
        "lessThan": "0.8.2",
        "status": "affected",
        "version": "0",
        "versionType": "maven"
      }
    ]
  }
]