CVE-2024-51775

Missing Origin Validation in WebSockets vulnerability in Apache Zeppelin. The attacker could access the Zeppelin server from another origin without any restriction, and get internal information about paragraphs. This issue affects Apache Zeppelin: from 0.11.1 before 0.12.0. Users are recommended to upgrade to version 0.12.0, which fixes the issue.

CVSS v3 5.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/apache/zeppelin/pull/4823	Issue Tracking
http://www.openwall.com/lists/oss-security/2025/08/03/5

Configurations

Configuration 1 (hide)

cpe:2.3:a:apache:zeppelin:*:*:*:*:*:*:*:*

History

04 Nov 2025, 22:16

Type	Values Removed	Values Added
References		() http://www.openwall.com/lists/oss-security/2025/08/03/5 -

05 Aug 2025, 15:59

Type	Values Removed	Values Added
References	~~() https://github.com/apache/zeppelin/pull/4823 -~~	() https://github.com/apache/zeppelin/pull/4823 - Issue Tracking
CPE		cpe:2.3:a:apache:zeppelin::::::::
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 5.3
First Time		Apache zeppelin Apache

04 Aug 2025, 15:06

Type	Values Removed	Values Added
Summary		(es) Vulnerabilidad de falta de validación de origen en WebSockets en Apache Zeppelin. El atacante podría acceder al servidor Zeppelin desde otro origen sin restricciones y obtener información interna sobre los párrafos. Este problema afecta a Apache Zeppelin desde la versión 0.11.1 hasta la 0.12.0. Se recomienda actualizar a la versión 0.12.0, que soluciona el problema.

03 Aug 2025, 11:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-08-03 11:15

Updated : 2025-11-04 22:16

NVD link : CVE-2024-51775

Mitre link : CVE-2024-51775

CVE.ORG link : CVE-2024-51775

JSON object : View

Products Affected

apache

zeppelin

CWE

CWE-1385

Missing Origin Validation in WebSockets

{"id": "CVE-2024-51775", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2025-08-03T11:15:26.000", "references": [{"url": "https://github.com/apache/zeppelin/pull/4823", "tags": ["Issue Tracking"], "source": "security@apache.org"}, {"url": "http://www.openwall.com/lists/oss-security/2025/08/03/5", "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "security@apache.org", "description": [{"lang": "en", "value": "CWE-1385"}]}], "descriptions": [{"lang": "en", "value": "Missing Origin Validation in WebSockets vulnerability in Apache Zeppelin.\n\nThe attacker could access the Zeppelin server from another origin without any restriction, and get internal information about paragraphs.\u00a0\nThis issue affects Apache Zeppelin: from 0.11.1 before 0.12.0.\n\nUsers are recommended to upgrade to version 0.12.0, which fixes the issue."}, {"lang": "es", "value": "Vulnerabilidad de falta de validaci\u00f3n de origen en WebSockets en Apache Zeppelin. El atacante podr\u00eda acceder al servidor Zeppelin desde otro origen sin restricciones y obtener informaci\u00f3n interna sobre los p\u00e1rrafos. Este problema afecta a Apache Zeppelin desde la versi\u00f3n 0.11.1 hasta la 0.12.0. Se recomienda actualizar a la versi\u00f3n 0.12.0, que soluciona el problema."}], "lastModified": "2025-11-04T22:16:04.370", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:apache:zeppelin:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B0F17B27-7AF8-4575-81FB-DD250ED7D8B1", "versionEndExcluding": "0.12.0", "versionStartIncluding": "0.11.0"}], "operator": "OR"}]}], "sourceIdentifier": "security@apache.org"}