Vulnerability Description
Improper Input Validation vulnerability in Apache Zeppelin. By adding relative path indicators(E.g ..), attackers can see the contents for any files in the filesystem that the server account can access. This issue affects Apache Zeppelin: from 0.9.0 before 0.11.0. Users are recommended to upgrade to version 0.11.0, which fixes the issue.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apache | Zeppelin | >= 0.9.0, < 0.11.0 |
Related Weaknesses (CWE)
References
- https://github.com/apache/zeppelin/pull/4632Issue TrackingPatch
- https://lists.apache.org/thread/c0zfjnow3oc3dzc8w5rbkzj8lqj5jm5xMailing ListVendor Advisory
- http://www.openwall.com/lists/oss-security/2024/04/09/2Mailing List
- https://github.com/apache/zeppelin/pull/4632Issue TrackingPatch
- https://lists.apache.org/thread/c0zfjnow3oc3dzc8w5rbkzj8lqj5jm5xMailing ListVendor Advisory
FAQ
What is CVE-2024-31860?
CVE-2024-31860 is a vulnerability with a CVSS score of 6.5 (MEDIUM). Improper Input Validation vulnerability in Apache Zeppelin. By adding relative path indicators(E.g ..), attackers can see the contents for any files in the filesystem that the server account can acce...
How severe is CVE-2024-31860?
CVE-2024-31860 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2024-31860?
Check the references section above for vendor advisories and patch information. Affected products include: Apache Zeppelin.