GoogleOSV:GHSA-66J8-C83M-GJ5FApache Zeppelin remote code execution by adding malicious JDBC connection string
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
92.0%
Improper Control of Generation of Code (‘Code Injection’) vulnerability in Apache Zeppelin.
The attacker can inject sensitive configuration or malicious code when connecting MySQL database via JDBC driver. This issue affects Apache Zeppelin: before 0.11.1.
Users are recommended to upgrade to version 0.11.1, which fixes the issue.
References
www.openwall.com/lists/oss-security/2024/04/09/8
github.com/apache/zeppelin
github.com/apache/zeppelin/commit/e65b5430e43c076c138a1f56e3f2aba1324118f2
github.com/apache/zeppelin/pull/4709
issues.apache.org/jira/browse/ZEPPELIN-5990
lists.apache.org/thread/752qdk0rnkd9nqtornz734zwb7xdwcdb
nvd.nist.gov/vuln/detail/CVE-2024-31864
www.cve.org/CVERecord?id=CVE-2020-11974
Related
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
92.0%