GHSA-rr59-h6rh-v84v

Suggest an improvement
Source
https://github.com/advisories/GHSA-rr59-h6rh-v84v
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/04/GHSA-rr59-h6rh-v84v/GHSA-rr59-h6rh-v84v.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-rr59-h6rh-v84v
Aliases
  • CVE-2022-47894
Published
2024-04-09T12:30:47Z
Modified
2024-05-02T15:10:57.544290Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
Summary
Apache Zeppelin SAP: connecting to a malicious SAP server allowed it to perform XXE
Details

Improper Input Validation vulnerability in Apache Zeppelin SAP. This issue affects Apache Zeppelin SAP: from 0.8.0 before 0.11.0.

As this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users.

For more information, the fix already was merged in the source code but Zeppelin decided to retire the SAP component NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

Database specific
{
    "nvd_published_at": "2024-04-09T10:15:08Z",
    "cwe_ids": [
        "CWE-20",
        "CWE-611"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2024-04-09T16:23:54Z"
}
References

Affected packages

Maven / org.apache.zeppelin:sap

Package

Name
org.apache.zeppelin:sap
View open source insights on deps.dev
Purl
pkg:maven/org.apache.zeppelin/sap

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0.8.0
Fixed
0.11.0

Affected versions

0.*

0.8.0
0.8.1
0.8.2
0.9.0
0.9.0-preview1
0.9.0-preview2
0.10.0
0.10.1