Lucene search

GoogleOSV:GHSA-G64R-XF39-Q4P5

HistoryApr 09, 2024 - 9:31 a.m.

Apache Zeppelin Path Traversal vulnerability

2024-04-0909:31:12

Google

osv.dev

apache zeppelin

path traversal

input validation

upgrade

version 0.11.0

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

AI Score

6.8

Confidence

High

EPSS

Percentile

15.5%

JSON

Improper Input Validation vulnerability in Apache Zeppelin.

By adding relative path indicators (e.g ..), attackers can see the contents for any files in the filesystem that the server account can access.
This issue affects Apache Zeppelin from 0.9.0 before 0.11.0.

Users are recommended to upgrade to version 0.11.0, which fixes the issue.

References

www.openwall.com/lists/oss-security/2024/04/09/2

github.com/apache/zeppelin

github.com/apache/zeppelin/commit/f025a697c1d1d0264064d5adf6cb0b20d85041b6

github.com/apache/zeppelin/pull/4632

lists.apache.org/thread/c0zfjnow3oc3dzc8w5rbkzj8lqj5jm5x

nvd.nist.gov/vuln/detail/CVE-2024-31860

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

AI Score

6.8

Confidence

High

EPSS

Percentile

15.5%

JSON

Related for OSV:GHSA-G64R-XF39-Q4P5