Zeppelin
CVE-2024-31866
CRITICAL
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from Vendor (apache) · only source for this CVE.
CVSS VectorVendor: apache
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1Blast Radius
ecosystem impact- 34 maven packages depend on org.apache.zeppelin:zeppelin-interpreter (33 direct, 1 indirect)
Ecosystem-wide dependent count for version 0.8.2.
DescriptionCVE.org
Improper Encoding or Escaping of Output vulnerability in Apache Zeppelin.
The attackers can execute shell scripts or malicious code by overriding configuration like ZEPPELIN_INTP_CLASSPATH_OVERRIDES. This issue affects Apache Zeppelin: from 0.8.2 before 0.11.1.
Users are recommended to upgrade to version 0.11.1, which fixes the issue.
AnalysisAI
Improper Encoding or Escaping of Output vulnerability in Apache Zeppelin. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
Technical ContextAI
This vulnerability is classified under CWE-116. Improper Encoding or Escaping of Output vulnerability in Apache Zeppelin. The attackers can execute shell scripts or malicious code by overriding configuration like ZEPPELIN_INTP_CLASSPATH_OVERRIDES.8.2 before 0.11.1. Users are recommended to upgrade to version 0.11.1, which fixes the issue. Affected products include: Apache Zeppelin. Version information: before 0.11.1..
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.
Improper Control of Generation of Code ('Code Injection') vulnerability in Apache Zeppelin. Rated critical severity (CVS
CVE-2024-41169 is an unauthenticated information disclosure vulnerability in Apache Zeppelin's raft server protocol that
Improper Input Validation vulnerability in Apache Zeppelin. Rated medium severity (CVSS 6.5), this vulnerability is remo
Improper Input Validation vulnerability in Apache Zeppelin. Rated medium severity (CVSS 6.5), this vulnerability is remo
Improper Input Validation vulnerability in Apache Zeppelin. Rated medium severity (CVSS 6.5), this vulnerability is remo
Improper Encoding or Escaping of Output vulnerability in Apache Zeppelin. Rated medium severity (CVSS 6.1), this vulnera
Cross Site Scripting vulnerability in markdown interpreter of Apache Zeppelin allows an attacker to inject malicious scr
An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache Zeppelin
Authentication Bypass by Spoofing vulnerability by replacing to exsiting notes in Apache Zeppelin.10.1 before 0.11.0. Ra
Improper Input Validation vulnerability in Apache Zeppelin when creating a new note from Zeppelin's UI.10.1 before 0.11.
Missing Origin Validation in WebSockets vulnerability in Apache Zeppelin. Rated medium severity (CVSS 5.3), this vulnera
Improper Input Validation vulnerability in Apache Zeppelin. Rated medium severity (CVSS 5.3), this vulnerability is remo
Same weakness CWE-116 – Improper Encoding or Escaping of Output
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today