Miggo Logo

CVE-2017-12619: Session Fixation in Apache Zeppelin

8.1

CVSS Score
3.0

Basic Information

EPSS Score
0.75838%
Published
4/24/2019
Updated
2/1/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.apache.zeppelin:zeppelinmaven< 0.7.30.7.3

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

Session fixation vulnerabilities typically occur when an application fails to generate a new session ID after successful authentication. The login endpoint (handled by LoginRestApi.postLogin in Zeppelin) is the most logical location for this missing security control. While no direct patch code is shown, the CVE description and standard session fixation mitigation patterns strongly indicate this authentication handler as the vulnerable function where session regeneration would need to be implemented in the patched version.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*p**** Z*pp*lin prior to *.*.* w*s vuln*r**l* to s*ssion *ix*tion w*i** *llow** *n *tt**k*r to *ij**k * v*li* us*r s*ssion. Issu* w*s r*port** *y "ston* lon*".

Reasoning

S*ssion *ix*tion vuln*r**iliti*s typi**lly o**ur w**n *n *ppli**tion **ils to **n*r*t* * n*w s*ssion I* **t*r su***ss*ul *ut**nti**tion. T** lo*in *n*point (**n*l** *y `Lo*inR*st*pi.postLo*in` in Z*pp*lin) is t** most lo*i**l lo**tion *or t*is missin