CVE-2020-13928: Cross-site scripting in Apache Atlas
6.1
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.82363%
CWE
Published
2/10/2022
Updated
2/1/2023
KEV Status
No
Technology
Java
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
org.apache.atlas:apache-atlas | maven | < 2.1.0 | 2.1.0 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability manifests in two phases: 1) Unsanitized input storage during search saving, and 2) Unsafe output generation during rendering. The identified controller method aligns with the first phase by handling search persistence, while the renderer method corresponds to the second phase. Both would appear in exploitation call stacks - the controller when malicious input is submitted, and the renderer when stored XSS payloads are displayed. Confidence is medium due to lack of direct patch evidence, but grounded in the advisory's description of vulnerable operations.