Apache Zeppelin: Remote code execution by adding malicious JDBC connection string
CVE-2024-31864

9.8CRITICAL

Key Information:

Vendor: Apache
Status: Apache Zeppelin
Vendor: CVE Published:; 9 April 2024

Summary

The vulnerability in Apache Zeppelin allows attackers to execute code injections when interfacing with MySQL databases through the JDBC driver. This flaw enables the injection of sensitive configuration or malicious code, potentially compromising the integrity of the application. Users are strongly advised to upgrade to version 0.11.1 to mitigate this security risk.

Affected Version(s)

Apache Zeppelin 0 < 0.11.1

References

https://github.com/apache/zeppelin/pull/4709

patch

https://www.cve.org/CVERecord?id=CVE-2020-11974

https://lists.apache.org/thread/752qdk0rnkd9nqtornz734zwb...

vendor-advisory

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Apr 9, 2024
Vulnerability Reserved
Apr 6, 2024

Credit

Nbxiglk