CVE-2022-47894

Apache Zeppelin SAP: connecting to a malicious SAP server allowed it to perform XXE

Severity Score

5.3

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Attend

*SSVC

Descriptions

Improper Input Validation vulnerability in Apache Zeppelin SAP.This issue affects Apache Zeppelin SAP: from 0.8.0 before 0.11.0.

As this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users.

For more information, the fix already was merged in the source code but Zeppelin decided to retire the SAP component
NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

Vulnerabilidad de validación de entrada incorrecta en Apache Zeppelin SAP. Este problema afecta a Apache Zeppelin SAP: desde 0.8.0 antes de 0.11.0. Como este proyecto está retirado, no planeamos lanzar una versión que solucione este problema. Se recomienda a los usuarios que busquen una alternativa o restrinjan el acceso a la instancia a usuarios confiables. Para obtener más información, la solución ya se fusionó en el código fuente, pero Zeppelin decidió retirar el componente SAP. NOTA: Esta vulnerabilidad solo afecta a los productos que ya no son compatibles con el fabricante.

*Credits: kuiplatain@knownsec 404 Team

CVSS Scores

CISAv3.1 5.3

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:Attend

Exploitation

None

Automatable

Yes

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2022-12-21 CVE Reserved
2024-04-09 CVE Published
2024-05-02 EPSS Updated
2024-08-29 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-20: Improper Input Validation

CAPEC

References (3)

URL	Tag	Source
http://www.openwall.com/lists/oss-security/2024/04/09/4

URL	Date	SRC

URL	Date	SRC
https://github.com/apache/zeppelin/pull/4302	2024-05-17

URL	Date	SRC
https://lists.apache.org/thread/csf4k73kkn3nx58pm0p2qrylbox4fvyy	2024-05-17

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Apache Software Foundation Search vendor "Apache Software Foundation"		Apache Zeppelin SAP Search vendor "Apache Software Foundation" for product "Apache Zeppelin SAP"				>= 0.8.0 < 0.11.0 Search vendor "Apache Software Foundation" for product "Apache Zeppelin SAP" and version " >= 0.8.0 < 0.11.0"		en		Affected