Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1nNjRyLXhmMzktcTRwNc4AA6vv
Apache Zeppelin Path Traversal vulnerability
Improper Input Validation vulnerability in Apache Zeppelin.
By adding relative path indicators (e.g ..), attackers can see the contents for any files in the filesystem that the server account can access.
This issue affects Apache Zeppelin from 0.9.0 before 0.11.0.
Users are recommended to upgrade to version 0.11.0, which fixes the issue.
Permalink: https://github.com/advisories/GHSA-g64r-xf39-q4p5JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1nNjRyLXhmMzktcTRwNc4AA6vv
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 9 months ago
Updated: 8 months ago
CVSS Score: 5.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
EPSS Percentage: 0.00045
EPSS Percentile: 0.17541
Identifiers: GHSA-g64r-xf39-q4p5, CVE-2024-31860
References:
- https://nvd.nist.gov/vuln/detail/CVE-2024-31860
- https://github.com/apache/zeppelin/pull/4632
- https://lists.apache.org/thread/c0zfjnow3oc3dzc8w5rbkzj8lqj5jm5x
- https://github.com/apache/zeppelin/commit/f025a697c1d1d0264064d5adf6cb0b20d85041b6
- http://www.openwall.com/lists/oss-security/2024/04/09/2
- https://github.com/advisories/GHSA-g64r-xf39-q4p5
Blast Radius: 9.2
Affected Packages
maven:org.apache.zeppelin:zeppelin-server
Dependent packages: 0Dependent repositories: 54
Downloads:
Affected Version Ranges: >= 0.9.0, < 0.11.0
Fixed in: 0.11.0
All affected versions: 0.9.0, 0.10.0, 0.10.1
All unaffected versions: 0.6.0, 0.6.1, 0.6.2, 0.7.0, 0.7.1, 0.7.2, 0.7.3, 0.8.0, 0.8.1, 0.8.2, 0.11.0, 0.11.1, 0.11.2