CVE-2024-46910 – An authenticated user in Apache Atlas can injec... (How to Fix)

Q: What is the severity of CVE-2024-46910?

CVE-2024-46910 has a CVSS score of 7.1 (HIGH). An authenticated user in Apache Atlas can inject malicious scripts (XSS) that execute in other users' browsers, potentially allowing impersonation of those users. This affects Apache Atlas versions 2.3.0 and earlier where users have authenticated access.

📋 TL;DR

An authenticated user in Apache Atlas can inject malicious scripts (XSS) that execute in other users' browsers, potentially allowing impersonation of those users. This affects Apache Atlas versions 2.3.0 and earlier where users have authenticated access.

💻 Affected Systems

Products:

Apache Atlas

Versions: 2.3.0 and earlier

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires an authenticated user; default configurations are vulnerable if unpatched.

📦 What is this software?

Atlas by Apache

View all CVEs affecting Atlas →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker could fully impersonate another user, gaining their privileges, accessing sensitive data, or performing unauthorized actions as that user.

🟠

Likely Case

An attacker steals session tokens or credentials via XSS, leading to unauthorized access to the victim's account.

🟢

If Mitigated

With input validation and output encoding controls, the XSS payloads would be neutralized, preventing exploitation.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires authenticated access and user interaction (e.g., victim viewing malicious content).

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.4.0

Vendor Advisory: https://lists.apache.org/thread/sqzp34l4cdk21zoq5g31qlsvr7jvb1fy

Restart Required: No

Instructions:

1. Download Apache Atlas version 2.4.0 from the official Apache website. 2. Replace the existing installation with the new version. 3. Verify the upgrade by checking the version number.

🔧 Temporary Workarounds

Implement Content Security Policy (CSP)

all

Deploy a strict CSP header to mitigate XSS by restricting script execution sources.

Add 'Content-Security-Policy' header with appropriate directives in web server configuration.

🧯 If You Can't Patch

Restrict user access to only trusted, authenticated users and monitor for suspicious activity.
Deploy a web application firewall (WAF) with XSS protection rules enabled.

🔍 How to Verify

Check if Vulnerable:

Check the Apache Atlas version; if it is 2.3.0 or earlier, it is vulnerable.

Check Version:

Check the version in the Apache Atlas web interface or configuration files.

Verify Fix Applied:

Confirm the version is 2.4.0 or later and test for XSS vulnerabilities via security scanning.

📡 Detection & Monitoring

Log Indicators:

Unusual user activity, such as login from unexpected locations or privilege escalation attempts.

Network Indicators:

HTTP requests containing suspicious script tags or encoded payloads in parameters.

SIEM Query:

Search for web logs with patterns like '<script>', 'javascript:', or encoded characters in URL parameters.

📊 Metadata

CVE ID: CVE-2024-46910

CVSS v3 Score: 7.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N

CWE: CWE-80

EPSS Score: 0.21% exploit probability (43.2th percentile)

Published: February 13, 2025

Last Updated: July 14, 2025

🔗 References

https://lists.apache.org/thread/sqzp34l4cdk21zoq5g31qlsvr7jvb1fy Issue Tracking,Mailing List,Vendor Advisory
http://www.openwall.com/lists/oss-security/2025/02/12/2 Mailing List,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-46910, you might also want to check these: