CVE-2024-31860

Improper Input Validation vulnerability in Apache Zeppelin. By adding relative path indicators(E.g ..), attackers can see the contents for any files in the filesystem that the server account can access. This issue affects Apache Zeppelin: from 0.9.0 before 0.11.0. Users are recommended to upgrade to version 0.11.0, which fixes the issue.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
http://www.openwall.com/lists/oss-security/2024/04/09/2
https://github.com/apache/zeppelin/pull/4632
https://lists.apache.org/thread/c0zfjnow3oc3dzc8w5rbkzj8lqj5jm5x

Configurations

No configuration.

History

No history.

Information

Published : 2024-04-09 09:15

Updated : 2024-07-03 01:55

NVD link : CVE-2024-31860

Mitre link : CVE-2024-31860

CVE.ORG link : CVE-2024-31860

JSON object : View

Products Affected

No product.

CWE

CWE-20

Improper Input Validation

6.5 /10