Improper Control of Generation of Code (‘Code Injection’) vulnerability in Apache Zeppelin.
The attacker can inject sensitive configuration or malicious code when connecting MySQL database via JDBC driver. This issue affects Apache Zeppelin: before 0.11.1.
Users are recommended to upgrade to version 0.11.1, which fixes the issue.
CPE | Name | Operator | Version |
---|---|---|---|
org.apache.zeppelin:zeppelin-jdbc | lt | 0.11.1 |
www.openwall.com/lists/oss-security/2024/04/09/8
github.com/advisories/GHSA-66j8-c83m-gj5f
github.com/apache/zeppelin/commit/e65b5430e43c076c138a1f56e3f2aba1324118f2
github.com/apache/zeppelin/pull/4709
issues.apache.org/jira/browse/ZEPPELIN-5990
lists.apache.org/thread/752qdk0rnkd9nqtornz734zwb7xdwcdb
nvd.nist.gov/vuln/detail/CVE-2024-31864
www.cve.org/CVERecord?id=CVE-2020-11974