CVE-2024-41169

CWE-6644 documents4 sources

Severity

7.5HIGH

EPSS

0.1%

top 75.83%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

2

Apache Software Foundation Apache Zeppelin Apache Zeppelin

Timeline

PublishedJul 12

Description

The attacker can use the raft server protocol in an unauthenticated way. The attacker can see the server's resources, including directories and files. This issue affects Apache Zeppelin: from 0.10.1 up to 0.12.0. Users are recommended to upgrade to version 0.12.0, which fixes the issue by removing the Cluster Interpreter.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages4 packages

▶Mavenorg.apache.zeppelin:zeppelin-server0.10.1 — 0.12.0

▶Mavenorg.apache.zeppelin:zeppelin-interpreter0.10.1 — 0.12.0

▶NVDapache/zeppelin0.10.1 — 0.12.0

▶CVEListV5apache_software_foundation/apache_zeppelin0.10.1 — 0.12.0

Patches

Patch: github.com ↗Patch: issues.apache.org ↗Patch: lists.apache.org ↗

🔴Vulnerability Details

3

CVEList

Apache Zeppelin: raft directory listing and file read↗2025-07-12

▶

GHSA

Apache Zeppelin exposes server resources to unauthenticated attackers↗2025-07-12

▶

OSV

Apache Zeppelin exposes server resources to unauthenticated attackers↗2025-07-12

▶

CVE-2024-41169 (HIGH CVSS 7.5) | The attacker can use the raft serve | cvebase.io