Apache Zeppelin Cross-Site Scripting Vulnerability in Helium Module

A cross-site scripting vulnerability has been identified in the Helium module of Apache Zeppelin, affecting versions prior to 0.12.0. This issue arises from an incomplete blacklist that fails to properly sanitize user input, allowing for the injection of malicious scripts. Users are advised to upgrade to version 0.12.0, which addresses this vulnerability.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where an attacker can inject malicious scripts that are executed in the context of the user's browser.

Reproduction

To reproduce this vulnerability, create a malicious Helium package that includes unescaped JavaScript. When this package is loaded into Apache Zeppelin versions prior to 0.12.0, the injected script will be executed, demonstrating the cross-site scripting flaw. This can be verified by opening a modal that displays the package information, which will render the JavaScript instead of escaping it.

Remediation

Users should upgrade to Apache Zeppelin version 0.12.0 or later, which includes the necessary fixes for this vulnerability.