CVE-2024-31865

CVSS v3.1

6.5

Medium

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions Apache Zeppelin versions 0.8.2 through 0.11.0

Description The issue is related to improper input validation, allowing attackers to call the updating cron API with invalid or improper privileges. This enables the notebook to run with elevated privileges.

Recommendations For Apache Zeppelin versions 0.8.2 through 0.11.0, upgrade to version 0.11.1 to fix the issue. As a temporary workaround, consider restricting access to the updating cron API to minimize the risk of exploitation.

Fix

Missing Authorization

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-862CWE-20

Related Identifiers

CVE-2024-31865

GHSA-G44M-X5H7-FR5Q

Affected Products

Apache Zeppelin

CVE-2024-31865

Weakness Enumeration

Related Identifiers

Affected Products

References · 12