Every CVE whose affected-product data names Apache Zeppelin, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (22)
CVE-2019-10095 — CVSS 9.8 (critical): bash command injection vulnerability in Apache Zeppelin allows an attacker to inject system commands into Spark interpreter settings. This…
CVE-2024-31866 — CVSS 9.8 (critical): Improper Encoding or Escaping of Output vulnerability in Apache Zeppelin. The attackers can execute shell scripts or malicious code by…
CVE-2024-31864 — CVSS 9.8 (critical): Improper Control of Generation of Code ('Code Injection') vulnerability in Apache Zeppelin. The attacker can inject sensitive configuration…
CVE-2018-1317 — CVSS 8.8 (high): In Apache Zeppelin prior to 0.8.0 the cron scheduler was enabled by default and could allow users to run paragraphs as other users without…
CVE-2017-12619 — CVSS 8.1 (high): Apache Zeppelin prior to 0.7.3 was vulnerable to session fixation which allowed an attacker to hijack a valid user session. Issue was…
CVE-2020-13929 — CVSS 7.5 (high): Authentication bypass vulnerability in Apache Zeppelin allows an attacker to bypass Zeppelin authentication mechanism to act as another…
CVE-2024-41169 — CVSS 7.5 (high): The attacker can use the raft server protocol in an unauthenticated way. The attacker can see the server's resources, including directories…
CVE-2024-31867 — CVSS 6.5 (medium): Improper Input Validation vulnerability in Apache Zeppelin. The attackers can execute malicious queries by setting improper configuration…
CVE-2021-28655 — CVSS 6.5 (medium): The improper Input Validation vulnerability in "”Move folder to Trash” feature of Apache Zeppelin allows an attacker to delete the…
CVE-2024-31865 — CVSS 6.5 (medium): Improper Input Validation vulnerability in Apache Zeppelin. The attackers can call updating cron API with invalid or improper privileges so…
CVE-2024-31860 — CVSS 6.5 (medium): Improper Input Validation vulnerability in Apache Zeppelin. By adding relative path indicators(E.g ..), attackers can see the contents for…
CVE-2024-31868 — CVSS 6.1 (medium): Improper Encoding or Escaping of Output vulnerability in Apache Zeppelin. The attackers can modify helium.json and exposure XSS attacks to…
CVE-2024-41177 — CVSS 6.1 (medium): Incomplete Blacklist to Cross-Site Scripting vulnerability in Apache Zeppelin. This issue affects Apache Zeppelin: before 0.12.0. Users are…
CVE-2021-27578 — CVSS 6.1 (medium): Cross Site Scripting vulnerability in markdown interpreter of Apache Zeppelin allows an attacker to inject malicious scripts. This issue…
CVE-2018-1328 — CVSS 6.1 (medium): Apache Zeppelin prior to 0.8.0 had a stored XSS issue via Note permissions. Issue reported by "Josna Joseph".
CVE-2022-46870 — CVSS 5.4 (medium): An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache Zeppelin allows logged-in…
CVE-2021-28656 — CVSS 5.4 (medium): Cross-Site Request Forgery (CSRF) vulnerability in Credential page of Apache Zeppelin allows an attacker to submit malicious request. This…
CVE-2024-52279 — CVSS 5.3 (medium): Improper Input Validation vulnerability in Apache Zeppelin. The fix for JDBC URL validation in CVE-2024-31864 did not account for URL…
CVE-2022-47894 — CVSS 5.3 (medium): Improper Input Validation vulnerability in Apache Zeppelin SAP.This issue affects Apache Zeppelin SAP: from 0.8.0 before 0.11.0. As this…
CVE-2024-31862 — CVSS 5.3 (medium): Improper Input Validation vulnerability in Apache Zeppelin when creating a new note from Zeppelin's UI.This issue affects Apache Zeppelin…
CVE-2024-31863 — CVSS 5.3 (medium): Authentication Bypass by Spoofing vulnerability by replacing to exsiting notes in Apache Zeppelin.This issue affects Apache Zeppelin: from…
CVE-2024-51775 — CVSS 5.3 (medium): Missing Origin Validation in WebSockets vulnerability in Apache Zeppelin. The attacker could access the Zeppelin server from another origin…