CVE-2024-31867: Apache Zeppelin: LDAP search filter query Injection Vulnerability

Description

Improper Input Validation vulnerability in Apache Zeppelin.

The attackers can execute malicious queries by setting improper configuration properties to LDAP search filter.
This issue affects Apache Zeppelin: from 0.8.2 before 0.11.1.

Users are recommended to upgrade to version 0.11.1, which fixes the issue.

Classification

CVE ID: CVE-2024-31867

Affected Products

Vendor: Apache Software Foundation

Product: Apache Zeppelin

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.05% (probability of being exploited)

EPSS Percentile: 17.81% (scored less or equal to compared to others)

EPSS Date: 2025-02-03 (when was this score calculated)

References

https://github.com/apache/zeppelin/pull/4714
https://lists.apache.org/thread/s4scw8bxdhrjs0kg0lhb68xqd8y9lrtf
http://www.openwall.com/lists/oss-security/2024/04/09/12

Timeline

2024-12-07 00:31:09 UTC
CVE

Apache Zeppelin: LDAP search filter query Injection Vulnerability