CVE-2024-46910

High

Published: 13 February 2025

Published

13 February 2025

Modified

14 July 2025

KEV Added

—

Patch

—

CVSS Score 7.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N

EPSS Score 0.0045 63.6th percentile

Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-46910 is a high-severity Basic XSS (CWE-80) vulnerability in Apache Atlas. Its CVSS base score is 7.1 (High).

Operationally, ranked in the top 36.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Validates user inputs to block malicious script injection that enables XSS exploitation in Apache Atlas.

SI-15 Information Output Filtering good match

prevent

Filters outputs to encode or escape scripts, preventing their execution in other users' browsers and mitigating impersonation.

SI-2 Flaw Remediation good match

prevent

Mandates timely patching and upgrading of vulnerable software like Apache Atlas to version 2.4.0, directly remediating the XSS flaw.

NVD Description

An authenticated user can perform XSS and potentially impersonate another user. This issue affects Apache Atlas versions 2.3.0 and earlier. Users are recommended to upgrade to version 2.4.0, which fixes the issue.

Deeper analysisAI

CVE-2024-46910 is a cross-site scripting (XSS) vulnerability, classified under CWE-80, that allows an authenticated user to inject malicious scripts and potentially impersonate another user. The issue affects Apache Atlas versions 2.3.0 and earlier. It has a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N), indicating high severity due to network accessibility, low attack complexity, and significant integrity impact.

An attacker with low-privilege authenticated access (PR:L) can exploit this vulnerability over the network without requiring user interaction. Successful exploitation enables the execution of arbitrary scripts in the context of other users' browsers, leading to potential account impersonation, session hijacking, or theft of sensitive data viewed by victims, with low confidentiality impact but high integrity compromise.

Apache advisories recommend upgrading to Apache Atlas version 2.4.0, which remediates the vulnerability. Details are available in the official Apache announcement on their mailing list and the oss-security mailing list.

Details

CWE(s): CWE-80

Affected Products

apache

atlas

2.0.0 — 2.4.0

CVEs Like This One

CVE-2026-40563Same product: Apache Atlas

CVE-2024-55532Same vendor: Apache

CVE-2025-66524Same vendor: Apache

CVE-2026-24308Same vendor: Apache

CVE-2026-30911Same vendor: Apache

CVE-2026-41602Same vendor: Apache

CVE-2025-62188Same vendor: Apache

CVE-2026-40010Same vendor: Apache

CVE-2026-39816Same vendor: Apache

CVE-2026-31908Same vendor: Apache

References

https://lists.apache.org/thread/sqzp34l4cdk21zoq5g31qlsvr7jvb1fy
Issue Tracking, Mailing List, Vendor Advisory · security@apache.org
http://www.openwall.com/lists/oss-security/2025/02/12/2
Mailing List, Third Party Advisory · af854a3a-2127-422b-91ae-364da2661108