Advisories for Maven/Org.apache.atlas/Apache-Atlas package

Description: Improper Control of Generation of Code ('Code Injection') vulnerability in Apache Atlas. Apache Atlas exposes a DSL search endpoint that accepts user-supplied query strings. Attacker can alter Gremlin traversal logic within grammar-allowed characters to access unintended data. Affected Version: This issue affects Apache Atlas: from 0.8-incubating through 2.4.0. For affected versions >= 2.0.0, the vulnerability is only exploitable when Atlas is deployed with below non-default configuration. atlas.dsl.executor.traversal=false Mitigation: Users …

An authenticated user can perform XSS and potentially impersonate another user. This issue affects Apache Atlas versions 2.3.0 and earlier. Users are recommended to upgrade to version 2.4.0, which fixes the issue.

A vulnerability in import module of Apache Atlas allows an authenticated user to write to web server filesystem. This issue affects Apache Atlas versions from 0.8.4 to 2.2.0.

Apache Atlas before 2.1.0 contain a XSS vulnerability. While saving search or rendering elements values are not sanitized correctly and because of that it triggers the XSS vulnerability.

Apache Atlas versions 0.8.3 and 1.1.0 were found vulnerable to Stored Cross-Site Scripting in the search functionality