CVE-2024-41169

| EUVD-2024-54778 HIGH
2025-07-12 [email protected] GHSA-7pgf-ppxw-8624
7.5
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

4
EUVD ID Assigned
Mar 16, 2026 - 08:56 euvd
EUVD-2024-54778
Analysis Generated
Mar 16, 2026 - 08:56 vuln.today
Patch Released
Mar 16, 2026 - 08:56 nvd
Patch available
CVE Published
Jul 12, 2025 - 17:15 nvd
HIGH 7.5

Tags

Apache Information Disclosure Authentication Bypass Zeppelin

Description

The attacker can use the raft server protocol in an unauthenticated way. The attacker can see the server's resources, including directories and files. This issue affects Apache Zeppelin: from 0.10.1 up to 0.12.0. Users are recommended to upgrade to version 0.12.0, which fixes the issue by removing the Cluster Interpreter.

Analysis

CVE-2024-41169 is an unauthenticated information disclosure vulnerability in Apache Zeppelin's raft server protocol that allows remote attackers to enumerate and view server resources, including sensitive directories and files, without authentication. Versions 0.10.1 through 0.12.0 are affected. The vulnerability has a CVSS score of 7.5 (High) with a network-accessible attack vector and no authentication requirements, making it trivially exploitable by unauthenticated remote actors.

Technical Context

The vulnerability resides in Apache Zeppelin's Cluster Interpreter and its underlying raft server protocol implementation (CPE: cpe:2.3:a:apache:zeppelin:*:*:*:*:*:*:*:*). The raft protocol is a consensus algorithm used for distributed system coordination, typically requiring authentication to prevent unauthorized cluster operations. This vulnerability stems from CWE-664 (Improper Control of a Resource Through its Lifetime), specifically the failure to properly enforce authentication checks on the raft server's communication endpoints. The Cluster Interpreter component, which manages distributed notebook execution across multiple nodes, exposed protocol handlers that accepted requests without validating client credentials, allowing directory traversal and file enumeration on the underlying server filesystem.

Affected Products

Zeppelin (['0.10.1', '0.10.2', '0.11.0', '0.11.1', '0.12.0'])

Remediation

Primary Patch: Upgrade to Apache Zeppelin version 0.12.1 or later. The upstream fix removes the Cluster Interpreter component entirely, eliminating the vulnerable raft server protocol exposure. Interim Mitigation: Disable the Cluster Interpreter in conf/zeppelin-site.xml if not required: set zeppelin.cluster.interpreter.enable=false or remove zeppelin.cluster.interpreter configuration properties. Network Segmentation: Restrict network access to Zeppelin instances to trusted internal networks only. Use firewall rules or VPN/bastion hosts to prevent direct internet exposure of the Zeppelin web UI and cluster ports (typically 7077 for Spark/Raft). Access Control: Implement reverse proxy authentication (e.g., Apache/Nginx with OIDC or SAML) in front of Zeppelin to enforce authentication at the transport layer, even though this does not address the protocol-level bypass. Monitoring: Monitor Zeppelin server logs and network traffic for raft protocol requests from unexpected sources. Alert on any raft server initialization or cluster communication logs.

Priority Score

38
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +38
POC: 0

Share

CVE-2024-41169 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy