CVE-2024-31860

Improper Input Validation vulnerability in Apache Zeppelin. By adding relative path indicators(E.g ..), attackers can see the contents for any files in the filesystem that the server account can access. This issue affects Apache Zeppelin: from 0.9.0 before 0.11.0. Users are recommended to upgrade to version 0.11.0, which fixes the issue.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
http://www.openwall.com/lists/oss-security/2024/04/09/2
https://github.com/apache/zeppelin/pull/4632
https://lists.apache.org/thread/c0zfjnow3oc3dzc8w5rbkzj8lqj5jm5x

Configurations

No configuration.

History

03 Jul 2024, 01:55

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 6.5
Summary		(es) Vulnerabilidad de validación de entrada incorrecta en Apache Zeppelin. Al agregar indicadores de ruta relativa (por ejemplo .. ), los atacantes pueden ver el contenido de cualquier archivo en el sistema de archivos al que pueda acceder la cuenta del servidor. Este problema afecta a Apache Zeppelin: desde 0.9.0 antes de 0.11.0. Se recomienda a los usuarios actualizar a la versión 0.11.0, que soluciona el problema.

01 May 2024, 18:15

Type	Values Removed	Values Added
References		() http://www.openwall.com/lists/oss-security/2024/04/09/2 -

09 Apr 2024, 09:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-04-09 09:15

Updated : 2024-07-03 01:55

NVD link : CVE-2024-31860

Mitre link : CVE-2024-31860

CVE.ORG link : CVE-2024-31860

JSON object : View

Products Affected

No product.

CWE

CWE-20

Improper Input Validation

6.5 /10