zeppelin-zengine is vulnerable to OS command injection. An attacker is able to inject bash commands into Spark interpreter settings.
CPE | Name | Operator | Version |
---|---|---|---|
zeppelin: zengine | le | 0.9.0 | |
zeppelin: zengine | le | 0.9.0 |
www.openwall.com/lists/oss-security/2021/09/02/1
github.com/apache/zeppelin/commit/8a7e0b87144fba81a22055684441906ad1c327af
lists.apache.org/thread.html/rd56389ba9cab30a6c976b9a4a6df0f85cbe8fba6a60a3cf6e3ba716b@%3Cusers.zeppelin.apache.org%3E
lists.apache.org/thread.html/rdf06e8423833b3daadc30c56a2ff47c48920864d5199476daa897208%40%3Cusers.zeppelin.apache.org%3E
lists.apache.org/thread.html/rdf06e8423833b3daadc30c56a2ff47c48920864d5199476daa897208@%3Cannounce.apache.org%3E
lists.apache.org/thread.html/rdf06e8423833b3daadc30c56a2ff47c48920864d5199476daa897208@%3Cusers.zeppelin.apache.org%3E