CVE-2024-41169 – org.apache.zeppelin:zeppelin-server

Package

Manager: maven
Name: org.apache.zeppelin:zeppelin-server
Vulnerable Version: >=0.10.1 <0.12.0

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.0004 pctl0.11044

Details

Apache Zeppelin exposes server resources to unauthenticated attackers The attacker can use the raft server protocol in an unauthenticated way. The attacker can see the server's resources, including directories and files. This issue affects Apache Zeppelin: from 0.10.1 up to 0.12.0. Users are recommended to upgrade to version 0.12.0, which fixes the issue by removing the Cluster Interpreter.

Metadata

Created: 2025-07-12T18:30:31Z
Modified: 2025-07-14T20:31:20Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/07/GHSA-7pgf-ppxw-8624/GHSA-7pgf-ppxw-8624.json
CWE IDs: ["CWE-664"]
Alternative ID: GHSA-7pgf-ppxw-8624
Finding: F067
Auto approve: 1