CVE-2024-31865

CWE-20Improper Input ValidationCWE-862Missing Authorization4 documents4 sources
Severity
6.5MEDIUM
EPSS
0.5%
top 35.13%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Apache Software Foundation Apache ZeppelinApache Zeppelin
Timeline
PublishedApr 9

Description

Improper Input Validation vulnerability in Apache Zeppelin. The attackers can call updating cron API with invalid or improper privileges so that the notebook can run with the privileges. This issue affects Apache Zeppelin: from 0.8.2 before 0.11.1. Users are recommended to upgrade to version 0.11.1, which fixes the issue.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:NExploitability: 3.9 | Impact: 2.5

Affected Packages3 packages

NVDapache/zeppelin0.8.20.11.1
Mavenorg.apache.zeppelin:zeppelin-server0.8.20.11.1
CVEListV5apache_software_foundation/apache_zeppelin0.8.20.11.1

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

3
GHSA
Apache Zeppelin: Cron arbitrary user impersonation with improper privileges2024-04-09
OSV
Apache Zeppelin: Cron arbitrary user impersonation with improper privileges2024-04-09
CVEList
Apache Zeppelin: Cron arbitrary user impersonation with improper privileges2024-04-09
CVE-2024-31865 (MEDIUM CVSS 6.5) | Improper Input Validation vulnerabi | cvebase.io