GHSA-rrvf-5w4r-3x7v

Опубликовано: 09 апр. 2024

Источник: github

Github: Прошло ревью

CVSS4: 5.3

CVSS3: 6.1

Описание

Apache Zeppelin vulnerable to cross-site scripting in the helium module

Improper Encoding or Escaping of Output vulnerability in Apache Zeppelin.

Attackers can modify helium.json and perform cross-site scripting attacks on normal users. This issue affects Apache Zeppelin: from 0.8.2 before 0.11.1.

Users are recommended to upgrade to version 0.11.1, which fixes the issue.

Ссылки

Пакеты

Наименование

org.apache.zeppelin:zeppelin-interpreter

maven

Затронутые версииВерсия исправления

>= 0.8.2, < 0.11.1

0.11.1

EPSS

Процентиль: 81%

0.01512

Низкий

5.3 Medium

CVSS4

6.1 Medium

CVSS3

CVE ID

CVE-2024-31868

Дефекты

CWE-116

CWE-79

Связанные уязвимости

CVE-2024-31868

CVSS3: 6.1

nvd

почти 2 года назад

Improper Encoding or Escaping of Output vulnerability in Apache Zeppelin. The attackers can modify helium.json and exposure XSS attacks to normal users. This issue affects Apache Zeppelin: from 0.8.2 before 0.11.1. Users are recommended to upgrade to version 0.11.1, which fixes the issue.

EPSS

Процентиль: 81%

0.01512

Низкий

5.3 Medium

CVSS4

6.1 Medium

CVSS3

CVE ID

CVE-2024-31868

Дефекты

CWE-116

CWE-79