Cyber Resilience

CVE-2024-46910

High

Published: 13 February 2025

Published
13 February 2025
Modified
14 July 2025
KEV Added
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N
EPSS Score 0.0045 63.9th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-46910 is a high-severity Basic XSS (CWE-80) vulnerability in Apache Atlas. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 36.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Deeper analysis

CVE-2024-46910 is a cross-site scripting (XSS) vulnerability, classified under CWE-80, that allows an authenticated user to inject malicious scripts and potentially impersonate another user. The issue affects Apache Atlas versions 2.3.0 and earlier. It has a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N), indicating high severity due to network accessibility, low attack complexity, and significant integrity impact.

An attacker with low-privilege authenticated access (PR:L) can exploit this vulnerability over the network without requiring user interaction. Successful exploitation enables the execution of arbitrary scripts in the context of other users' browsers, leading to potential account impersonation, session hijacking, or theft of sensitive data viewed by victims, with low confidentiality impact but high integrity compromise.

Apache advisories recommend upgrading to Apache Atlas version 2.4.0, which remediates the vulnerability. Details are available in the official Apache announcement on their mailing list and the oss-security mailing list.

EU & UK References

Vulnerability details

An authenticated user can perform XSS and potentially impersonate another user. This issue affects Apache Atlas versions 2.3.0 and earlier. Users are recommended to upgrade to version 2.4.0, which fixes the issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1185 Browser Session Hijacking Collection
Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.
Why these techniques?

XSS in web app directly enables exploitation of public-facing application (T1190) and facilitates browser session hijacking via injected scripts (T1185).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-40563Same product: Apache Atlas
CVE-2026-40010Same vendor: Apache
CVE-2026-46586Same vendor: Apache
CVE-2026-41873Same vendor: Apache
CVE-2025-24783Same vendor: Apache
CVE-2024-53678Same vendor: Apache
CVE-2026-34059Same vendor: Apache
CVE-2026-40961Same vendor: Apache
CVE-2025-48913Same vendor: Apache
CVE-2025-65114Same vendor: Apache

Affected Assets

apache
atlas
2.0.0 — 2.4.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Validates user inputs to block malicious script injection that enables XSS exploitation in Apache Atlas.

prevent

Filters outputs to encode or escape scripts, preventing their execution in other users' browsers and mitigating impersonation.

prevent

Mandates timely patching and upgrading of vulnerable software like Apache Atlas to version 2.4.0, directly remediating the XSS flaw.

References