CVE-2024-41169: Apache Zeppelin exposes server resources to unauthenticated attackers

July 12, 2025 (updated July 14, 2025)

The attacker can use the raft server protocol in an unauthenticated way. The attacker can see the server’s resources, including directories and files.

This issue affects Apache Zeppelin: from 0.10.1 up to 0.12.0.

Users are recommended to upgrade to version 0.12.0, which fixes the issue by removing the Cluster Interpreter.

References

github.com/advisories/GHSA-7pgf-ppxw-8624
github.com/apache/zeppelin
github.com/apache/zeppelin/pull/4841
issues.apache.org/jira/browse/ZEPPELIN-6101
lists.apache.org/thread/moyym04993c8owh4h0qj98r43tbo8qdd
nvd.nist.gov/vuln/detail/CVE-2024-41169

Code Behaviors & Features

Detect and mitigate CVE-2024-41169 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →