CVE-2024-24683

Name of the Vulnerable Software and Affected Versions Apache Hop Engine versions prior to 2.8.0

Description The issue is related to improper input validation in the Apache Hop Engine, specifically affecting the Hop Server component. When the Hop Server writes links to the PrepareExecutionPipelineServlet page, one of the parameters provided to the user, the id, is not properly escaped. This makes the risk of exploiting this issue low, as the id is not directly accessible by users creating pipelines. The issue does not directly affect the client.

Recommendations For Apache Hop Engine versions prior to 2.8.0, users are recommended to upgrade to version 2.8.0, which fixes the issue. As a temporary workaround, consider restricting access to the PrepareExecutionPipelineServlet page until the upgrade is applied. Additionally, users can minimize the risk of exploitation by being cautious when creating pipelines and avoiding any potential manipulation of the id variable.