Analysis Summary

CVE-2025-54656 CVSS:6.5

Apache Struts Extras could allow a remote attacker to bypass security restrictions, caused by an improper output neutralization for Logs vulnerability. When using LookupDispatchAction, in some cases, Struts may print untrusted input to the logs without any filtering. The specially-crafted input may lead to log output where part of the message masquerades as a separate log line

CVE-2024-41177 CVSS:6.1

Apache Zeppelin is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the Helium module.

CVE-2024-52279 CVSS:6.1

Apache Zeppelin could allow a remote attacker to read arbitrary files, caused by improper JDBC URL validation.

CVE-2024-51775 CVSS:6.1

Apache Zeppelin could allow a remote attacker to execute arbitrary commands via CSWSH, caused by missing origin validation in WebSockets.

Impact

• Gain Access
• Security Bypass
• Cross-Site Scripting
• Information Disclosure

Indicators of Compromise

CVE

• CVE-2025-54656

• CVE-2024-41177

• CVE-2024-52279

• CVE-2024-51775

Affected Vendors

Remediation

Refer to Apache Security Advisory for patch, upgrade, or suggested workaround information.

CVE-2025-54656

CVE-2024-41177

CVE-2024-52279

CVE-2024-51775