Lucene search

[email protected]NVD:CVE-2024-31864

HistoryApr 09, 2024 - 4:15 p.m.

CVE-2024-31864

2024-04-0916:15:08

CWE-94

[email protected]

web.nvd.nist.gov

vulnerability

apache zeppelin

code injection

mysql

jdbc driver

upgrade

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

6.6

Confidence

High

EPSS

Percentile

15.5%

JSON

Improper Control of Generation of Code (‘Code Injection’) vulnerability in Apache Zeppelin.

The attacker can inject sensitive configuration or malicious code when connecting MySQL database via JDBC driver.
This issue affects Apache Zeppelin: before 0.11.1.

Users are recommended to upgrade to version 0.11.1, which fixes the issue.

References

www.openwall.com/lists/oss-security/2024/04/09/8

github.com/apache/zeppelin/pull/4709

lists.apache.org/thread/752qdk0rnkd9nqtornz734zwb7xdwcdb

www.cve.org/CVERecord?id=CVE-2020-11974

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

6.6

Confidence

High

EPSS

Percentile

15.5%

JSON

Related for NVD:CVE-2024-31864

cnvd1 cve1 vulnrichment1 github1 veracode1 cvelist1 osv1