CVE-2024-31860

Опубликовано: 09 апр. 2024

Источник: nvd

CVSS3: 6.5

EPSS Низкий

Описание

Improper Input Validation vulnerability in Apache Zeppelin.

By adding relative path indicators(E.g ..), attackers can see the contents for any files in the filesystem that the server account can access. This issue affects Apache Zeppelin: from 0.9.0 before 0.11.0.

Users are recommended to upgrade to version 0.11.0, which fixes the issue.

Ссылки

https://github.com/apache/zeppelin/pull/4632
Issue Tracking
Patch
https://lists.apache.org/thread/c0zfjnow3oc3dzc8w5rbkzj8lqj5jm5x
Mailing List
Vendor Advisory
http://www.openwall.com/lists/oss-security/2024/04/09/2
Mailing List
https://github.com/apache/zeppelin/pull/4632
Issue Tracking
Patch
https://lists.apache.org/thread/c0zfjnow3oc3dzc8w5rbkzj8lqj5jm5x
Mailing List
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:apache:zeppelin:*:*:*:*:*:*:*:*

Версия от 0.9.0 (включая) до 0.11.0 (исключая)

EPSS

Процентиль: 72%

0.00732

Низкий

6.5 Medium

CVSS3

Дефекты

CWE-22

Связанные уязвимости

GHSA-g64r-xf39-q4p5

CVSS3: 5.3

github

почти 2 года назад

Apache Zeppelin Path Traversal vulnerability