github - ghsa-x3v6-f5fr-4wwv

ghsa-x3v6-f5fr-4wwv

Vulnerability from github

Published

2025-02-13 09:31

Modified

2025-02-13 22:16

Severity ?

7.1 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N
5.3 (Medium) - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Summary

Apache Atlas: An authenticated user can perform XSS and potentially impersonate another user

Details

An authenticated user can perform XSS and potentially impersonate another user.

This issue affects Apache Atlas versions 2.3.0 and earlier.

Users are recommended to upgrade to version 2.4.0, which fixes the issue.

Show details on source website

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.atlas:apache-atlas"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0"
            },
            {
              "fixed": "2.4.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-46910"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-80"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-02-13T17:24:09Z",
    "nvd_published_at": "2025-02-13T09:15:09Z",
    "severity": "MODERATE"
  },
  "details": "An authenticated user can perform XSS and potentially impersonate another user.\n\nThis issue affects Apache Atlas versions\u00a02.3.0 and earlier.\n\nUsers are recommended to upgrade to version 2.4.0, which fixes the issue.",
  "id": "GHSA-x3v6-f5fr-4wwv",
  "modified": "2025-02-13T22:16:38Z",
  "published": "2025-02-13T09:31:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-46910"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/apache/atlas"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread/sqzp34l4cdk21zoq5g31qlsvr7jvb1fy"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2025/02/12/2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Apache Atlas: An authenticated user can perform XSS and potentially impersonate another user"
}

cve-2024-46910

Vulnerability from cvelistv5

Published

2025-02-13 08:52

Modified

2025-02-20 16:52

Severity ?

Summary

Apache Atlas: An authenticated user can perform XSS and potentially impersonate another user

References

▼	URL	Tags
	https://lists.apache.org/thread/sqzp34l4cdk21zoq5g31qlsvr7jvb1fy	vendor-advisory

Impacted products

▼	Vendor	Product
	Apache Software Foundation	Apache Atlas

Show details on NVD website

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-02-13T09:03:26.945Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2025/02/12/2"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 7.1,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "LOW",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-46910",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-13T20:33:23.610651Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-13T20:33:42.551Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://repo.maven.apache.org/maven2",
          "defaultStatus": "unaffected",
          "packageName": "org.apache.atlas:atlas-webapp",
          "product": "Apache Atlas",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThanOrEqual": "2.3.0",
              "status": "affected",
              "version": "2.0.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "SecIQ Technologies LLP"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eAn authenticated user can perform XSS and potentially impersonate another user.\u003c/p\u003e\u003cp\u003eThis issue affects Apache Atlas \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eversions\u0026nbsp;\u003c/span\u003e2.3.0 and earlier.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 2.4.0, which fixes the issue.\u003c/p\u003e"
            }
          ],
          "value": "An authenticated user can perform XSS and potentially impersonate another user.\n\nThis issue affects Apache Atlas versions\u00a02.3.0 and earlier.\n\nUsers are recommended to upgrade to version 2.4.0, which fixes the issue."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "text": "important"
            },
            "type": "Textual description of severity"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-80",
              "description": "CWE-80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-02-20T16:52:56.248Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.apache.org/thread/sqzp34l4cdk21zoq5g31qlsvr7jvb1fy"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Apache Atlas: An authenticated user can perform XSS and potentially impersonate another user",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2024-46910",
    "datePublished": "2025-02-13T08:52:57.498Z",
    "dateReserved": "2024-09-13T21:17:58.694Z",
    "dateUpdated": "2025-02-20T16:52:56.248Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Log in or create an account to share your comment.

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.