CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2024-31866: Apache Zeppelin: Interpreter download command does not escape malicious code injection

Description

Improper Encoding or Escaping of Output vulnerability in Apache Zeppelin.

The attackers can execute shell scripts or malicious code by overriding configuration like ZEPPELIN_INTP_CLASSPATH_OVERRIDES.
This issue affects Apache Zeppelin: from 0.8.2 before 0.11.1.

Users are recommended to upgrade to version 0.11.1, which fixes the issue.

Classification

CVE ID: CVE-2024-31866

Affected Products

Vendor: Apache Software Foundation

Product: Apache Zeppelin

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.05% (probability of being exploited)

EPSS Percentile: 18.39% (scored less or equal to compared to others)

EPSS Date: 2025-03-14 (when was this score calculated)

References

https://github.com/apache/zeppelin/pull/4715
https://lists.apache.org/thread/jpkbq3oktopt34x2n5wnhzc2r1410ddd
http://www.openwall.com/lists/oss-security/2024/04/09/10

Timeline

2025-02-14 00:31:53 UTC
CVE

Apache Zeppelin: Interpreter download command does not escape malicious code injection