CVE-2024-31861

2024-04-1109:15:08

CWE-94

[email protected]

web.nvd.nist.gov

cve-2024-31861

code injection

apache zeppelin

shell interpreter

upgrade

security vulnerability

7.1 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

15.3%

JSON

Improper Control of Generation of Code (‘Code Injection’) vulnerability in Apache Zeppelin.

The attackers can use Shell interpreter as a code generation gateway, and execute the generated code as a normal way.
This issue affects Apache Zeppelin: from 0.10.1 before 0.11.1.

Users are recommended to upgrade to version 0.11.1, which doesn’t have Shell interpreter by default.

Affected configurations

Vulners

Node

apachezeppelinRange≤0.11.1

CNA Affected

[
  {
    "collectionURL": "https://repo.maven.apache.org/maven2",
    "defaultStatus": "unaffected",
    "packageName": "org.apache.zeppelin:zeppelin-shell",
    "product": "Apache Zeppelin",
    "vendor": "Apache Software Foundation",
    "versions": [
      {
        "lessThan": "0.11.1",
        "status": "affected",
        "version": "0.10.1",
        "versionType": "semver"
      }
    ]
  }
]