Apache Zeppelin Improper Escaping (0.8.2-0.11.1) via ZEPPELIN_CLASSPATH_OVERRIDES
CVE-2024-31866 Published on April 9, 2024
Apache Zeppelin: Interpreter download command does not escape malicious code injection
Improper Encoding or Escaping of Output vulnerability in Apache Zeppelin.
The attackers can execute shell scripts or malicious code by overriding configuration like ZEPPELIN_INTP_CLASSPATH_OVERRIDES.
This issue affects Apache Zeppelin: from 0.8.2 before 0.11.1.
Users are recommended to upgrade to version 0.11.1, which fixes the issue.
Vulnerability Analysis
CVE-2024-31866 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to be critical as this vulnerability has a high impact to the confidentiality, integrity and availability of this component.
Weakness Type
What is an Output Sanitization Vulnerability?
The software prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.
CVE-2024-31866 has been classified to as an Output Sanitization vulnerability or weakness.
Products Associated with CVE-2024-31866
Want to know whenever a new CVE is published for Apache Zeppelin? stack.watch will email you.
Affected Versions
Apache Software Foundation Apache Zeppelin:- Version 0.8.2 and below 0.11.1 is affected.
- Version 0.8.2 and below 0.11.1 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.