Cross-Site Scripting Vulnerability in Apache Zeppelin by Apache
CVE-2024-41177

6.1MEDIUM

Key Information:

Vendor

Apache
Status
Apache Zeppelin
Vendor
CVE Published:
3 August 2025

What is CVE-2024-41177?

An incomplete blacklist vulnerability in Apache Zeppelin can be exploited to execute unauthorized scripts in the user's browser session. This flaw affects versions prior to 0.12.0, and users are strongly encouraged to upgrade to this latest version to rectify the vulnerability and enhance their application's security posture.

Affected Version(s)

Apache Zeppelin 0 < 0.12.0

References

https://github.com/apache/zeppelin/pull/4755
patch
https://github.com/apache/zeppelin/pull/4795
patch
https://lists.apache.org/thread/nwh8vh9f3pnvt04n8z4g2kbdd...
vendor-advisory

CVSS V3.1

Score:
6.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

H Ming
.