Lucene search

GitHub Advisory DatabaseGHSA-G64R-XF39-Q4P5

HistoryApr 09, 2024 - 9:31 a.m.

Apache Zeppelin Path Traversal vulnerability

2024-04-0909:31:12

CWE-20

CWE-22

GitHub Advisory Database

github.com

apache zeppelin

path traversal

input validation

vulnerability

filesystem

server account

upgrade

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

7.1 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

15.8%

JSON

Improper Input Validation vulnerability in Apache Zeppelin.

By adding relative path indicators (e.g ..), attackers can see the contents for any files in the filesystem that the server account can access.
This issue affects Apache Zeppelin from 0.9.0 before 0.11.0.

Users are recommended to upgrade to version 0.11.0, which fixes the issue.

Affected configurations

Vulners

Node

org.apache.zeppelin\zeppelinMatchserver

CPENameOperatorVersion
org.apache.zeppelin:zeppelin-serverlt0.11.0

CPE	Name	Operator	Version
	org.apache.zeppelin:zeppelin-server	lt	0.11.0

References

www.openwall.com/lists/oss-security/2024/04/09/2

github.com/advisories/GHSA-g64r-xf39-q4p5

github.com/apache/zeppelin/commit/f025a697c1d1d0264064d5adf6cb0b20d85041b6

github.com/apache/zeppelin/pull/4632

lists.apache.org/thread/c0zfjnow3oc3dzc8w5rbkzj8lqj5jm5x

nvd.nist.gov/vuln/detail/CVE-2024-31860

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

7.1 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

15.8%

JSON

Related for GHSA-G64R-XF39-Q4P5