GitHub Advisory DatabaseGHSA-66J8-C83M-GJ5FApache Zeppelin remote code execution by adding malicious JDBC connection string
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
15.5%
Improper Control of Generation of Code (‘Code Injection’) vulnerability in Apache Zeppelin.
The attacker can inject sensitive configuration or malicious code when connecting MySQL database via JDBC driver. This issue affects Apache Zeppelin: before 0.11.1.
Users are recommended to upgrade to version 0.11.1, which fixes the issue.
Affected configurations
| Vendor | Product | Version | CPE |
|---|---|---|---|
| org.apache.zeppelin | zeppelin-jdbc | * | cpe:2.3:a:org.apache.zeppelin:zeppelin-jdbc:*:*:*:*:*:*:*:* |
References
www.openwall.com/lists/oss-security/2024/04/09/8
github.com/advisories/GHSA-66j8-c83m-gj5f
github.com/apache/zeppelin/commit/e65b5430e43c076c138a1f56e3f2aba1324118f2
github.com/apache/zeppelin/pull/4709
issues.apache.org/jira/browse/ZEPPELIN-5990
lists.apache.org/thread/752qdk0rnkd9nqtornz734zwb7xdwcdb
nvd.nist.gov/vuln/detail/CVE-2024-31864
www.cve.org/CVERecord?id=CVE-2020-11974
Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
15.5%