Apache Zeppelin CSRF Vulnerability Allows Malicious Request Submission
CVE-2021-28656

5.4MEDIUM

Key Information:

Vendor: Apache
Status: Apache Zeppelin
Vendor: CVE Published:; 9 April 2024

Summary

A Cross-Site Request Forgery (CSRF) vulnerability exists in the credential management page of Apache Zeppelin. This vulnerability enables attackers to forge requests that compromise user credentials, potentially allowing unauthorized actions on the server. Users of Apache Zeppelin version 0.9.0 and earlier are particularly affected, as their systems may not adequately validate the authenticity of requests, leaving them open to exploitation. It is vital for organizations utilizing this product to implement security measures to safeguard against such attacks.

Affected Version(s)

Apache Zeppelin 0 <= 0.9.0

References

https://lists.apache.org/thread/dttzkkv4qyn1rq2fdv1r94otb...

vendor-advisory

http://www.openwall.com/lists/oss-security/2024/04/09/3

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Apr 9, 2024
Vulnerability Reserved
Mar 17, 2021

Credit

Jiang Qingzhi