CVE-2024-31866 – org.apache.zeppelin:zeppelin-interpreter

Package

Manager: maven
Name: org.apache.zeppelin:zeppelin-interpreter
Vulnerable Version: >=0.8.2 <0.11.1

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.0114 pctl0.77602

Details

Improper escaping in Apache Zeppelin Improper Encoding or Escaping of Output vulnerability in Apache Zeppelin. The attackers can execute shell scripts or malicious code by overriding configuration like ZEPPELIN_INTP_CLASSPATH_OVERRIDES. This issue affects Apache Zeppelin: from 0.8.2 before 0.11.1. Users are recommended to upgrade to version 0.11.1, which fixes the issue.

Metadata

Created: 2024-04-09T18:30:22Z
Modified: 2024-08-21T18:50:22Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/04/GHSA-86jx-wr74-xr74/GHSA-86jx-wr74-xr74.json
CWE IDs: ["CWE-116"]
Alternative ID: GHSA-86jx-wr74-xr74
Finding: F404
Auto approve: 1