CVE-2024-46910

High

Published: 13 February 2025

Published

13 February 2025

Modified

14 July 2025

KEV Added

—

Patch

—

CVSS Score 7.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N

EPSS Score 0.0045 63.5th percentile

Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Description

An authenticated user can perform XSS and potentially impersonate another user. This issue affects Apache Atlas versions 2.3.0 and earlier. Users are recommended to upgrade to version 2.4.0, which fixes the issue.

Security Summary

CVE-2024-46910 is a cross-site scripting (XSS) vulnerability, classified under CWE-80, that allows an authenticated user to inject malicious scripts and potentially impersonate another user. The issue affects Apache Atlas versions 2.3.0 and earlier. It has a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N), indicating high severity due to network accessibility, low attack complexity, and significant integrity impact.

An attacker with low-privilege authenticated access (PR:L) can exploit this vulnerability over the network without requiring user interaction. Successful exploitation enables the execution of arbitrary scripts in the context of other users' browsers, leading to potential account impersonation, session hijacking, or theft of sensitive data viewed by victims, with low confidentiality impact but high integrity compromise.

Apache advisories recommend upgrading to Apache Atlas version 2.4.0, which remediates the vulnerability. Details are available in the official Apache announcement on their mailing list and the oss-security mailing list.

Details

CWE(s): CWE-80

Affected Products

apache

atlas

2.0.0 — 2.4.0

References

https://lists.apache.org/thread/sqzp34l4cdk21zoq5g31qlsvr7jvb1fy
Issue Tracking, Mailing List, Vendor Advisory · security@apache.org
http://www.openwall.com/lists/oss-security/2025/02/12/2
Mailing List, Third Party Advisory · af854a3a-2127-422b-91ae-364da2661108