Description

Authentication bypass vulnerability in Apache Zeppelin allows an attacker to bypass Zeppelin authentication mechanism to act as another user. This issue affects Apache Zeppelin Apache Zeppelin version 0.9.0 and prior versions.

Remediation

References

http://www.openwall.com/lists/oss-security/2021/09/02/2

https://lists.apache.org/thread.html/r768800925d6407a6a87ccae0ec98776b7bda50c0e3ed3d0130dad028%40%3Cannounce.apache.org%3E

https://lists.apache.org/thread.html/r768800925d6407a6a87ccae0ec98776b7bda50c0e3ed3d0130dad028%40%3Cusers.zeppelin.apache.org%3E

https://lists.apache.org/thread.html/r768800925d6407a6a87ccae0ec98776b7bda50c0e3ed3d0130dad028%40%3Cusers.zeppelin.apache.org%3E

https://lists.apache.org/thread.html/r99529e175a7c1c9a26bd41a02802c8af7aa97319fe561874627eb999%40%3Cusers.zeppelin.apache.org%3E

https://security.gentoo.org/glsa/202311-04

Related Vulnerabilities

CVE-2022-21676 Vulnerability in npm package engine.io

CVE-2022-25645 Vulnerability in maven package org.webjars.npm:dset

CVE-2022-45401 Vulnerability in maven package org.jenkinsci.plugins:associated-files

CVE-2019-13506 Vulnerability in npm package @nuxtjs/devalue

CVE-2022-1291 Vulnerability in maven package org.webjars.npm:tableexport.jquery.plugin

Severity

High

Classification

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Tags

Mailing List Third Party Advisory Vendor Advisory NVD-CWE-noinfo