Lucene search

GitHub Advisory DatabaseGHSA-9P8J-HRGF-JC2G

HistoryDec 20, 2022 - 9:30 p.m.

Apache Zeppelin Cross-site Scripting vulnerability

2022-12-2021:30:19

CWE-79

GitHub Advisory Database

github.com

apache zeppelin

cross-site scripting

web page generation

arbitrary javascript

upgrade

vulnerability

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

0.002 Low

EPSS

Percentile

56.6%

JSON

An Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Apache Zeppelin allows logged-in users to execute arbitrary javascript in other users’ browsers. This issue affects Apache Zeppelin before 0.8.2. Users are recommended to upgrade to a supported version of Zeppelin.

Affected configurations

Vulners

Node

org.apache.zeppelin\Matchzeppelin

CPENameOperatorVersion
org.apache.zeppelin:zeppelinlt0.8.2

CPE	Name	Operator	Version
	org.apache.zeppelin:zeppelin	lt	0.8.2

References

github.com/advisories/GHSA-9p8j-hrgf-jc2g

lists.apache.org/thread/gb1wdnrm1095xw6qznpsycfrht4lwbwc

nvd.nist.gov/vuln/detail/CVE-2022-46870