CVE-2021-28655: Apache Zeppelin arbitrary file deletion vulnerability

Apache Zeppelin developers last week announced the release of patches for two vulnerabilities in its software, including a high-severity defect.

The most severe of these issues is CVE-2021-28655 (CVSS score of 8.2), an arbitrary file deletion vulnerability in the “Move folder to Trash” feature that could allow a remote attacker to send a specially-crafted request and delete the arbitrary files on a vulnerable software.

Zeppelin is a web-based notebook that enables interactive data analytics. You can make beautiful data-driven, interactive and collaborative documents with SQL, Scala, and more.

The issue exists due to improper input validation in the “Move folder to Trash” feature and can be exploited if an attacker sends a specially-crafted request.

CVE-2021-28655 affects Apache Zeppelin version 0.9.0 and prior versions and was found by security researcher Kai Zhao (finder).

Another moderate-severity issue that Apache Zeppelin addressed impacts the Web Page Generation of Apache Zeppelin and could lead to execute arbitrary javascript in other users’ browsers.

Tracked as CVE-2022-46870, the flaw issues exist because user-supplied input is not sufficiently validated. A remote authenticated attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim’s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials. This issue affects Apache Zeppelin before 0.8.2.

Apache Zeppelin releases 0.10.1 contain patches for these vulnerabilities.