CVE-2024-31866: Improper escaping in Apache Zeppelin

April 9, 2024 (updated August 21, 2024)

Improper Encoding or Escaping of Output vulnerability in Apache Zeppelin.

The attackers can execute shell scripts or malicious code by overriding configuration like ZEPPELIN_INTP_CLASSPATH_OVERRIDES. This issue affects Apache Zeppelin: from 0.8.2 before 0.11.1.

Users are recommended to upgrade to version 0.11.1, which fixes the issue.

References

github.com/advisories/GHSA-86jx-wr74-xr74
github.com/apache/zeppelin
github.com/apache/zeppelin/commit/dd08a3966ef3b0b40f13d0291d7cac5ec3dd9f9c
github.com/apache/zeppelin/pull/4715
lists.apache.org/thread/jpkbq3oktopt34x2n5wnhzc2r1410ddd
nvd.nist.gov/vuln/detail/CVE-2024-31866

Code Behaviors & Features

Detect and mitigate CVE-2024-31866 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →