Description

Authentication bypass vulnerability in Apache Zeppelin allows an attacker to bypass Zeppelin authentication mechanism to act as another user. This issue affects Apache Zeppelin Apache Zeppelin version 0.9.0 and prior versions.

Remediation

References

http://www.openwall.com/lists/oss-security/2021/09/02/2

https://lists.apache.org/thread.html/r768800925d6407a6a87ccae0ec98776b7bda50c0e3ed3d0130dad028%40%3Cannounce.apache.org%3E

https://lists.apache.org/thread.html/r768800925d6407a6a87ccae0ec98776b7bda50c0e3ed3d0130dad028%40%3Cusers.zeppelin.apache.org%3E

https://lists.apache.org/thread.html/r99529e175a7c1c9a26bd41a02802c8af7aa97319fe561874627eb999%40%3Cusers.zeppelin.apache.org%3E

https://security.gentoo.org/glsa/202311-04

Related Vulnerabilities

CVE-2019-16943 Vulnerability in maven package com.fasterxml.jackson.core:jackson-databind

CVE-2021-45458 Vulnerability in maven package org.apache.kylin:kylin-core-common

CVE-2023-33779 Vulnerability in maven package com.xuxueli:xxl-job

CVE-2022-0624 Vulnerability in maven package org.webjars.npm:parse-path

CVE-2020-7598 Vulnerability in npm package minimist

Severity

High

Classification

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Tags

Mailing List Third Party Advisory Vendor Advisory NVD-CWE-noinfo