org.apache.zeppelin:zeppelin-shell@0.8.0 vulnerabilities

latest version

0.12.0

latest non vulnerable version

0.12.0

first published

9 years ago

latest version published

7 months ago

licenses detected

Apache-2.0
[0.6.0,)

package registry

View on Maven Central Repository

Go back to all versions of this package

Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the org.apache.zeppelin:zeppelin-shell package. This does not include vulnerabilities belonging to this package’s dependencies.

How to fix?

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability Vulnerable Version

Vulnerability	Vulnerable Version
M Missing Origin Validation in WebSockets Affected versions of this package are vulnerable to Missing Origin Validation in WebSockets. When using a terminal interpreter (i.e. `%sh.terminal`) in an Apache Zeppelin notebook, a WebSocket server is spawned on a random port. This server does not implement an origin check and as such is vulnerable to cross-site WebSocket hijacking, which allows information exposure that could then be used to achieve command injection if a malicious WebSocket client is able to connect to the server and send arbitrary commands to the shell. The only thing preventing a client from connecting to the WebSocket server is the use of a random port. This should not be relied upon as the only mechanism to prevent unauthorized clients from connecting and sending arbitrary commands to the server, and may be brute-forced. How to fix Missing Origin Validation in WebSockets? Upgrade `org.apache.zeppelin:zeppelin-shell` to version 0.12.0 or higher.	[,0.12.0)

Missing Origin Validation in WebSockets

Affected versions of this package are vulnerable to Missing Origin Validation in WebSockets. When using a terminal interpreter (i.e. %sh.terminal) in an Apache Zeppelin notebook, a WebSocket server is spawned on a random port. This server does not implement an origin check and as such is vulnerable to cross-site WebSocket hijacking, which allows information exposure that could then be used to achieve command injection if a malicious WebSocket client is able to connect to the server and send arbitrary commands to the shell. The only thing preventing a client from connecting to the WebSocket server is the use of a random port. This should not be relied upon as the only mechanism to prevent unauthorized clients from connecting and sending arbitrary commands to the server, and may be brute-forced.

How to fix Missing Origin Validation in WebSockets?

Upgrade org.apache.zeppelin:zeppelin-shell to version 0.12.0 or higher.

[,0.12.0)

Go back to all versions of this package