GSA_kwCzR0hTQS03cGdmLXBweHctODYyNM4ABKE_

High EPSS: 0.00048% (0.14776 Percentile) EPSS:

Permalink JSON

Apache Zeppelin exposes server resources to unauthenticated attackers

Affected Packages	Affected Versions	Fixed Versions
maven:org.apache.zeppelin:zeppelin-server	>= 0.10.1, < 0.12.0	0.12.0
0 Dependent packages 54 Dependent repositories Affected Version Ranges All affected versions 0.10.1, 0.11.0, 0.11.1, 0.11.2 All unaffected versions 0.6.0, 0.6.1, 0.6.2, 0.7.0, 0.7.1, 0.7.2, 0.7.3, 0.8.0, 0.8.1, 0.8.2, 0.9.0, 0.10.0, 0.12.0
maven:org.apache.zeppelin:zeppelin-interpreter	>= 0.10.1, < 0.12.0	0.12.0
58 Dependent packages 177 Dependent repositories Affected Version Ranges All affected versions 0.10.1, 0.11.0, 0.11.1, 0.11.2 All unaffected versions 0.6.0, 0.6.1, 0.6.2, 0.7.0, 0.7.1, 0.7.2, 0.7.3, 0.8.0, 0.8.1, 0.8.2, 0.9.0, 0.10.0, 0.12.0

The attacker can use the raft server protocol in an unauthenticated way. The attacker can see the server's resources, including directories and files.

This issue affects Apache Zeppelin: from 0.10.1 up to 0.12.0.

Users are recommended to upgrade to version 0.12.0, which fixes the issue by removing the Cluster Interpreter.

References:

Identifiers

GHSA-7pgf-ppxw-8624

CVE-2024-41169

Risk

Severity

High

EPSS

EPSS Percentage: 0.00048

EPSS Percentile: 0.14776

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/apache/zeppelin

Date and time

Published

18 days ago

Updated

32 minutes ago

API

JSON

ecosyste.ms

Data

Tools

Indexes

Applications

Experiments

Advisories