Unauthenticated Resource Exposure in Apache Zeppelin by Apache
CVE-2024-41169

7.5HIGH

Key Information:

Vendor

Apache
Status
Apache Zeppelin
Vendor
CVE Published:
12 July 2025

What is CVE-2024-41169?

An unauthenticated vulnerability exists in Apache Zeppelin, allowing attackers to exploit the raft server protocol. This vulnerability enables unauthorized access to server resources, including sensitive directories and files. Affected versions are from 0.10.1 to 0.12.0. Users are advised to upgrade to version 0.12.0, which mitigates the issue by eliminating the Cluster Interpreter, securing access to server resources.

Affected Version(s)

Apache Zeppelin 0.10.1 < 0.12.0

References

https://github.com/apache/zeppelin/pull/4841
patch
https://issues.apache.org/jira/browse/ZEPPELIN-6101
issue-tracking
https://lists.apache.org/thread/moyym04993c8owh4h0qj98r43...
vendor-advisory

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

SuperX <[email protected]>
.