Vulnerability Description
In Apache Zeppelin prior to 0.8.0 the cron scheduler was enabled by default and could allow users to run paragraphs as other users without authentication.
CVSS Score
8.8
HIGH
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apache | Zeppelin | < 0.8.0 |
Related Weaknesses (CWE)
References
- http://www.openwall.com/lists/oss-security/2019/04/23/1Mailing ListRelease NotesThird Party Advisory
- http://www.securityfocus.com/bid/108047Third Party AdvisoryVDB Entry
- https://lists.apache.org/thread.html/ff6b995a5a3ba8db4d6b14b4d9dd487e7bf2e3bdd5b
- https://zeppelin.apache.org/releases/zeppelin-release-0.8.0.htmlRelease NotesVendor Advisory
- http://www.openwall.com/lists/oss-security/2019/04/23/1Mailing ListRelease NotesThird Party Advisory
- http://www.securityfocus.com/bid/108047Third Party AdvisoryVDB Entry
- https://lists.apache.org/thread.html/ff6b995a5a3ba8db4d6b14b4d9dd487e7bf2e3bdd5b
- https://zeppelin.apache.org/releases/zeppelin-release-0.8.0.htmlRelease NotesVendor Advisory
FAQ
What is CVE-2018-1317?
CVE-2018-1317 is a vulnerability with a CVSS score of 8.8 (HIGH). In Apache Zeppelin prior to 0.8.0 the cron scheduler was enabled by default and could allow users to run paragraphs as other users without authentication.
How severe is CVE-2018-1317?
CVE-2018-1317 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2018-1317?
Check the references section above for vendor advisories and patch information. Affected products include: Apache Zeppelin.