Code Injection

2024-04-1212:40:49

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

code injection

configuration overrides

shell scripts

malicious code

environment variables

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

7.7

Confidence

Low

EPSS

Percentile

15.5%

JSON

org.apache.zeppelin/zeppelin is vulnerable to Code Injection. The vulnerability is due to improper handling of configuration overrides such as ZEPPELIN_INTP_CLASSPATH_OVERRIDES, allowing attackers to execute shell scripts or inject malicious code though environment variables.