Apache Zeppelin: XSS vulnerability in the helium module
CVE-2024-31868

Currently unrated

Key Information:

Vendor
Apache
Status
Apache Zeppelin
Vendor
CVE Published:
9 April 2024

Summary

Improper Encoding or Escaping of Output vulnerability in Apache Zeppelin.

The attackers can modify helium.json and exposure XSS attacks to normal users. This issue affects Apache Zeppelin: from 0.8.2 before 0.11.1.

Users are recommended to upgrade to version 0.11.1, which fixes the issue.

Affected Version(s)

Apache Zeppelin 0.8.2 < 0.11.1

References

https://github.com/apache/zeppelin/pull/4728
patch
https://lists.apache.org/thread/55mqs673plsxmgnq7fdf2flft...
vendor-advisory

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

H Ming
.