CVE-2024-31865 – org.apache.zeppelin:zeppelin-server

Package

Manager: maven
Name: org.apache.zeppelin:zeppelin-server
Vulnerable Version: >=0.8.2 <0.11.1

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00631 pctl0.69393

Details

Apache Zeppelin: Cron arbitrary user impersonation with improper privileges Improper Input Validation vulnerability in Apache Zeppelin. The attackers can call updating cron API with invalid or improper privileges so that the notebook can run with the privileges. This issue affects Apache Zeppelin: from 0.8.2 before 0.11.1. Users are recommended to upgrade to version 0.11.1, which fixes the issue.

Metadata

Created: 2024-04-09T18:30:22Z
Modified: 2024-05-02T14:46:09Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/04/GHSA-g44m-x5h7-fr5q/GHSA-g44m-x5h7-fr5q.json
CWE IDs: ["CWE-20", "CWE-862"]
Alternative ID: GHSA-g44m-x5h7-fr5q
Finding: F184
Auto approve: 1