CVE-2024-31863: Apache Zeppelin: Replacing other users notebook, bypassing any permissions

April 9, 2024 (updated February 11, 2025)

Authentication Bypass by Spoofing vulnerability by replacing to exsiting notes in Apache Zeppelin. This issue affects Apache Zeppelin: from 0.10.1 before 0.11.0.

Users are recommended to upgrade to version 0.11.0, which fixes the issue.

References

github.com/advisories/GHSA-m65c-wmw9-vmpp
github.com/apache/zeppelin
github.com/apache/zeppelin/commit/f025a697c1d1d0264064d5adf6cb0b20d85041b6
lists.apache.org/thread/3od2gfpwllmtc9c5ggw04ohn8s7w3ct9
nvd.nist.gov/vuln/detail/CVE-2024-31863

Code Behaviors & Features

Detect and mitigate CVE-2024-31863 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →