CVE-2021-28656 — Apache Zeppelin CSRF vulnerability in the Credentials page

Description

Cross-Site Request Forgery (CSRF) vulnerability in Credential page of Apache Zeppelin allows an attacker to submit malicious request. This issue affects Apache Zeppelin Apache Zeppelin version 0.9.0 and prior versions.

How to fix CVE-2021-28656

No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.

—no fix listed

Is CVE-2021-28656 being exploited?

Low — EPSS is 1.8%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, <= 0.9.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2021-28656
PATCHgithub.com/apache/zeppelin
WEBlists.apache.org/thread/dttzkkv4qyn1rq2fdv1r94otb1osxztc
WEBwww.openwall.com/lists/oss-security/2024/04/09/3