CVE-2022-47894: Apache Zeppelin SAP: connecting to a malicious SAP server allowed it to perform XXE
First published: Tue Apr 09 2024(Updated: )
Improper Input Validation vulnerability in Apache Zeppelin SAP. This issue affects Apache Zeppelin SAP: from 0.8.0 before 0.11.0. As this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users. For more information, the fix already was merged in the source code but Zeppelin decided to retire the SAP component NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
Credit: security@apache.org security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| maven/org.apache.zeppelin:sap | >=0.8.0<0.11.0 | 0.11.0 |
| Apache Zeppelin | >=0.8.0<0.11.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://nvd.nist.gov/vuln/detail/CVE-2022-47894
- https://github.com/apache/zeppelin/pull/4302
- https://lists.apache.org/thread/csf4k73kkn3nx58pm0p2qrylbox4fvyy
- https://github.com/apache/zeppelin/commit/bea51d1467d6103bd8fd68d6a27b14f954d98ec6
- https://issues.apache.org/jira/browse/ZEPPELIN-5665
- https://github.com/advisories/GHSA-rr59-h6rh-v84v (Advisory)
- http://www.openwall.com/lists/oss-security/2024/04/09/4
Frequently Asked Questions
What is the severity of CVE-2022-47894?
CVE-2022-47894 has been classified as a moderate severity vulnerability due to improper input validation.
How do I fix CVE-2022-47894?
There is no fix for CVE-2022-47894 as the Apache Zeppelin project has been retired; users are advised to migrate to alternative solutions or restrict access.
Which versions of Apache Zeppelin SAP are affected by CVE-2022-47894?
CVE-2022-47894 affects Apache Zeppelin SAP versions from 0.8.0 to before 0.11.0.
Is there a workaround for CVE-2022-47894?
Users are recommended to restrict access to affected systems as there are no updates or patches available for CVE-2022-47894.
What impact does CVE-2022-47894 have on my system?
CVE-2022-47894 could potentially allow attackers to exploit improper input validation, leading to unauthorized actions or data manipulation.
- agent/title
- agent/first-publish-date
- agent/type
- collector/oss-sec
- source/oss-sec
- alias/CVE-2022-47894
- agent/weakness
- agent/softwarecombine
- agent/author
- agent/references
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-rr59-h6rh-v84v
- agent/software-canonical-lookup
- collector/nvd-cve
- source/NVD
- collector/github-advisory
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/event
- agent/trending
- agent/source
- agent/tags
- agent/last-modified-date
- agent/description
- collector/nvd-api
- package-manager/maven
- vendor/apache
- canonical/apache zeppelin
- version/apache zeppelin/0.8.0