Lucene search

[email protected]NVD:CVE-2024-31866

HistoryApr 09, 2024 - 4:15 p.m.

CVE-2024-31866

2024-04-0916:15:08

CWE-116

[email protected]

web.nvd.nist.gov

apache zeppelin

shell scripts

malicious code

configuration override

upgrade

vulnerability

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

6.8

Confidence

High

EPSS

Percentile

15.5%

JSON

Improper Encoding or Escaping of Output vulnerability in Apache Zeppelin.

The attackers can execute shell scripts or malicious code by overriding configuration like ZEPPELIN_INTP_CLASSPATH_OVERRIDES.
This issue affects Apache Zeppelin: from 0.8.2 before 0.11.1.

Users are recommended to upgrade to version 0.11.1, which fixes the issue.

References

www.openwall.com/lists/oss-security/2024/04/09/10

github.com/apache/zeppelin/pull/4715

lists.apache.org/thread/jpkbq3oktopt34x2n5wnhzc2r1410ddd

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

6.8

Confidence

High

EPSS

Percentile

15.5%

JSON

Related for NVD:CVE-2024-31866

cvelist1 osv1 github1 cnvd1 veracode1 vulnrichment1 cve1