CVE-2024-51775
Apache Zeppelin: Command Injection via CSWSH
In short
Apache Zeppelin fails to validate the origin of WebSocket connections, allowing attackers from other websites to access the server and steal internal information about notebooks and paragraphs without permission.
Technical detail
Missing origin validation in WebSocket handlers (CSWSH vector) allows cross-origin requests to bypass CORS protections, enabling attackers to retrieve sensitive paragraph metadata and internal Zeppelin data. Affects versions 0.11.1 through 0.11.x; requires network access to the Zeppelin server.
Summary generated and translated by AI from the official description.
Missing Origin Validation in WebSockets vulnerability in Apache Zeppelin.
The attacker could access the Zeppelin server from another origin without any restriction, and get internal information about paragraphs.
This issue affects Apache Zeppelin: from 0.11.1 before 0.12.0.
Users are recommended to upgrade to version 0.12.0, which fixes the issue.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Affected products
Apache Software Foundation · Apache ZeppelinWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →