Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1nNDRtLXg1aDctZnI1cc4AA6wa
Apache Zeppelin: Cron arbitrary user impersonation with improper privileges
Improper Input Validation vulnerability in Apache Zeppelin.
The attackers can call updating cron API with invalid or improper privileges so that the notebook can run with the privileges.
This issue affects Apache Zeppelin: from 0.8.2 before 0.11.1.
Users are recommended to upgrade to version 0.11.1, which fixes the issue.
Permalink: https://github.com/advisories/GHSA-g44m-x5h7-fr5qJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1nNDRtLXg1aDctZnI1cc4AA6wa
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 8 months ago
Updated: 7 months ago
CVSS Score: 5.4
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Identifiers: GHSA-g44m-x5h7-fr5q, CVE-2024-31865
References:
- https://nvd.nist.gov/vuln/detail/CVE-2024-31865
- https://github.com/apache/zeppelin/pull/4631
- https://lists.apache.org/thread/slm1sf0slwc11f4m4r0nd6ot2rf7w81l
- https://github.com/apache/zeppelin/commit/49e2740a1d83d58d2401ccf175fc91ffebfb0892
- http://www.openwall.com/lists/oss-security/2024/04/09/9
- https://github.com/advisories/GHSA-g44m-x5h7-fr5q
Blast Radius: 9.4
Affected Packages
maven:org.apache.zeppelin:zeppelin-server
Dependent packages: 0Dependent repositories: 54
Downloads:
Affected Version Ranges: >= 0.8.2, < 0.11.1
Fixed in: 0.11.1
All affected versions: 0.8.2, 0.9.0, 0.10.0, 0.10.1, 0.11.0
All unaffected versions: 0.6.0, 0.6.1, 0.6.2, 0.7.0, 0.7.1, 0.7.2, 0.7.3, 0.8.0, 0.8.1, 0.11.1, 0.11.2