Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTl4MmgtaHZnNi00cjVw
Improper Authentication in Apache Zeppelin
In Apache Zeppelin prior to 0.8.0 the cron scheduler was enabled by default and could allow users to run paragraphs as other users without authentication.
Permalink: https://github.com/advisories/GHSA-9x2h-hvg6-4r5pJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTl4MmgtaHZnNi00cjVw
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 5 years ago
Updated: almost 2 years ago
CVSS Score: 8.8
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Percentage: 0.00236
EPSS Percentile: 0.61791
Identifiers: GHSA-9x2h-hvg6-4r5p, CVE-2018-1317
References:
- https://nvd.nist.gov/vuln/detail/CVE-2018-1317
- http://www.openwall.com/lists/oss-security/2019/04/23/1
- https://lists.apache.org/thread.html/ff6b995a5a3ba8db4d6b14b4d9dd487e7bf2e3bdd5b375b64a25fd06@%3Cusers.zeppelin.apache.org%3E
- https://zeppelin.apache.org/releases/zeppelin-release-0.8.0.html
- https://github.com/advisories/GHSA-9x2h-hvg6-4r5p
Affected Packages
maven:org.apache.zeppelin:zeppelin
Dependent packages: 0Dependent repositories: 1
Downloads:
Affected Version Ranges: < 0.8.0
Fixed in: 0.8.0
All affected versions: 0.6.0, 0.6.1, 0.6.2, 0.7.0, 0.7.1, 0.7.2, 0.7.3
All unaffected versions: 0.8.0, 0.8.1, 0.8.2, 0.9.0, 0.10.0, 0.10.1, 0.11.0, 0.11.1, 0.11.2