CVE-2024-31868

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-31868
Improper Encoding or Escaping of Output vulnerability in Apache Zeppelin. The attackers can modify helium.json and exposure XSS attacks to normal users. This issue affects Apache Zeppelin: from 0.8.2 before 0.11.1. Users are recommended to upgrade to version 0.11.1, which fixes the issue.

6.1 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References
Link Resource
https://github.com/apache/zeppelin/pull/4728
https://lists.apache.org/thread/55mqs673plsxmgnq7fdf2flftpllyf11
Configurations

No configuration.

History

04 Nov 2024, 17:35

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 6.1

03 Oct 2024, 13:15

Type Values Removed Values Added
CWE CWE-116 CWE-79
References
  • {'url': 'http://www.openwall.com/lists/oss-security/2024/04/09/11', 'source': 'security@apache.org'}
Summary (en) Improper Encoding or Escaping of Output vulnerability in Apache Zeppelin. The attackers can modify helium.json and exposure XSS attacks to normal users. This issue affects Apache Zeppelin: from 0.8.2 before 0.11.1. Users are recommended to upgrade to version 0.11.1, which fixes the issue. (en) Improper Encoding or Escaping of Output vulnerability in Apache Zeppelin. The attackers can modify helium.json and exposure XSS attacks to normal users. This issue affects Apache Zeppelin: from 0.8.2 before 0.11.1. Users are recommended to upgrade to version 0.11.1, which fixes the issue.

01 May 2024, 18:15

Type Values Removed Values Added
Summary
  • (es) Vulnerabilidad de codificación o escape de salida inadecuados en Apache Zeppelin. Los atacantes pueden modificar helium.json y exponer ataques XSS a usuarios normales. Este problema afecta a Apache Zeppelin: desde 0.8.2 antes de 0.11.1. Se recomienda a los usuarios actualizar a la versión 0.11.1, que soluciona el problema.
References
  • () http://www.openwall.com/lists/oss-security/2024/04/09/11 -

09 Apr 2024, 16:15

Type Values Removed Values Added
New CVE
Information

Published : 2024-04-09 16:15

Updated : 2024-11-04 17:35

NVD link : CVE-2024-31868

Mitre link : CVE-2024-31868

CVE.ORG link : CVE-2024-31868

JSON object : View

Products Affected

No product.

CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')