CVE-2024-31864

Опубликовано: 09 апр. 2024

Источник: nvd

CVSS3: 9.8

EPSS Низкий

Описание

Improper Control of Generation of Code ('Code Injection') vulnerability in Apache Zeppelin.

The attacker can inject sensitive configuration or malicious code when connecting MySQL database via JDBC driver. This issue affects Apache Zeppelin: before 0.11.1.

Users are recommended to upgrade to version 0.11.1, which fixes the issue.

Ссылки

http://www.openwall.com/lists/oss-security/2024/04/09/8
Mailing List
https://github.com/apache/zeppelin/pull/4709
Issue Tracking
https://lists.apache.org/thread/752qdk0rnkd9nqtornz734zwb7xdwcdb
Mailing List
Vendor Advisory
https://www.cve.org/CVERecord?id=CVE-2020-11974
Not Applicable
http://www.openwall.com/lists/oss-security/2024/04/09/8
Mailing List
http://www.openwall.com/lists/oss-security/2025/08/03/3
https://github.com/apache/zeppelin/pull/4709
Issue Tracking
https://lists.apache.org/thread/752qdk0rnkd9nqtornz734zwb7xdwcdb
Mailing List
Vendor Advisory
https://www.cve.org/CVERecord?id=CVE-2020-11974
Not Applicable

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:apache:zeppelin:*:*:*:*:*:*:*:*

Версия до 0.11.1 (исключая)

EPSS

Процентиль: 74%

0.00848

Низкий

9.8 Critical

CVSS3

Дефекты

CWE-94

Связанные уязвимости

GHSA-66j8-c83m-gj5f