CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2024-31860: Apache Zeppelin: Path traversal vulnerability

Description

Improper Input Validation vulnerability in Apache Zeppelin.

By adding relative path indicators(E.g ..), attackers can see the contents for any files in the filesystem that the server account can access.
This issue affects Apache Zeppelin: from 0.9.0 before 0.11.0.

Users are recommended to upgrade to version 0.11.0, which fixes the issue.

Classification

CVE ID: CVE-2024-31860

Affected Products

Vendor: Apache Software Foundation

Product: Apache Zeppelin

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.05% (probability of being exploited)

EPSS Percentile: 18.39% (scored less or equal to compared to others)

EPSS Date: 2025-03-14 (when was this score calculated)

References

https://github.com/apache/zeppelin/pull/4632
https://lists.apache.org/thread/c0zfjnow3oc3dzc8w5rbkzj8lqj5jm5x
http://www.openwall.com/lists/oss-security/2024/04/09/2

Timeline

2025-02-14 00:31:53 UTC
CVE

Apache Zeppelin: Path traversal vulnerability