Description

Authentication bypass vulnerability in Apache Zeppelin allows an attacker to bypass Zeppelin authentication mechanism to act as another user. This issue affects Apache Zeppelin Apache Zeppelin version 0.9.0 and prior versions.

Remediation

References

http://www.openwall.com/lists/oss-security/2021/09/02/2

https://lists.apache.org/thread.html/r768800925d6407a6a87ccae0ec98776b7bda50c0e3ed3d0130dad028%40%3Cannounce.apache.org%3E

https://lists.apache.org/thread.html/r768800925d6407a6a87ccae0ec98776b7bda50c0e3ed3d0130dad028%40%3Cusers.zeppelin.apache.org%3E

https://lists.apache.org/thread.html/r768800925d6407a6a87ccae0ec98776b7bda50c0e3ed3d0130dad028%40%3Cusers.zeppelin.apache.org%3E

https://lists.apache.org/thread.html/r99529e175a7c1c9a26bd41a02802c8af7aa97319fe561874627eb999%40%3Cusers.zeppelin.apache.org%3E

https://security.gentoo.org/glsa/202311-04

Related Vulnerabilities

CVE-2023-4771 Vulnerability in maven package org.webjars.npm:ckeditor4

CVE-2021-25913 Vulnerability in npm package set-or-get

CVE-2022-23437 Vulnerability in maven package xerces:xercesimpl

CVE-2020-28191 Vulnerability in maven package org.togglz:togglz-console

CVE-2020-1956 Vulnerability in maven package org.apache.kylin:kylin-core-common

Severity

High

Classification

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Tags

Mailing List Third Party Advisory Vendor Advisory NVD-CWE-noinfo