CVE-2024-31860

2024-04-0909:15:26

CWE-20

[email protected]

web.nvd.nist.gov

apache zeppelin

input validation

attackers

filesystem

upgrade

vulnerability

6.7 Medium

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

15.7%

JSON

Improper Input Validation vulnerability in Apache Zeppelin.

By adding relative path indicators(E.g …), attackers can see the contents for any files in the filesystem that the server account can access.
This issue affects Apache Zeppelin: from 0.9.0 before 0.11.0.

Users are recommended to upgrade to version 0.11.0, which fixes the issue.

Affected configurations

Vulners

Node

apachezeppelinRange≤0.11.0

CNA Affected

[
  {
    "collectionURL": "https://repo.maven.apache.org/maven2",
    "defaultStatus": "unaffected",
    "packageName": "org.apache.zeppelin:zeppelin-server",
    "product": "Apache Zeppelin",
    "vendor": "Apache Software Foundation",
    "versions": [
      {
        "lessThan": "0.11.0",
        "status": "affected",
        "version": "0.9.0",
        "versionType": "semver"
      }
    ]
  }
]