Apache Zeppelin: Remote code execution by adding malicious JDBC connection string
CVE-2024-31864

Currently unrated

Key Information:

Vendor: Apache
Status: Apache Zeppelin
Vendor: CVE Published:; 9 April 2024

Summary

Improper Control of Generation of Code ('Code Injection') vulnerability in Apache Zeppelin.

The attacker can inject sensitive configuration or malicious code when connecting MySQL database via JDBC driver. This issue affects Apache Zeppelin: before 0.11.1.

Users are recommended to upgrade to version 0.11.1, which fixes the issue.

Affected Version(s)

Apache Zeppelin 0 < 0.11.1

References

https://github.com/apache/zeppelin/pull/4709

patch

https://www.cve.org/CVERecord?id=CVE-2020-11974

https://lists.apache.org/thread/752qdk0rnkd9nqtornz734zwb...

vendor-advisory

Timeline

Vulnerability published
Apr 9, 2024
Vulnerability Reserved
Apr 6, 2024

Credit

Nbxiglk