CVE-2024-31864

Improper Control of Generation of Code ('Code Injection') vulnerability in Apache Zeppelin. The attacker can inject sensitive configuration or malicious code when connecting MySQL database via JDBC driver. This issue affects Apache Zeppelin: before 0.11.1. Users are recommended to upgrade to version 0.11.1, which fixes the issue.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
http://www.openwall.com/lists/oss-security/2024/04/09/8
https://github.com/apache/zeppelin/pull/4709
https://lists.apache.org/thread/752qdk0rnkd9nqtornz734zwb7xdwcdb
https://www.cve.org/CVERecord?id=CVE-2020-11974

Configurations

No configuration.

History

01 Aug 2024, 13:51

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 9.8

01 May 2024, 18:15

Type	Values Removed	Values Added
References		() http://www.openwall.com/lists/oss-security/2024/04/09/8 -
Summary		(es) Vulnerabilidad de control inadecuado de generación de código ("inyección de código") en Apache Zeppelin. El atacante puede inyectar configuración confidencial o código malicioso al conectar la base de datos MySQL a través del controlador JDBC. Este problema afecta a Apache Zeppelin: anteriores a 0.11.1. Se recomienda a los usuarios actualizar a la versión 0.11.1, que soluciona el problema.

09 Apr 2024, 16:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-04-09 16:15

Updated : 2024-08-01 13:51

NVD link : CVE-2024-31864

Mitre link : CVE-2024-31864

CVE.ORG link : CVE-2024-31864

JSON object : View

Products Affected

No product.

CWE

CWE-94

Improper Control of Generation of Code ('Code Injection')

9.8 /10