CVE-2024-31860: Apache Zeppelin Path Traversal vulnerability

April 9, 2024 (updated February 13, 2025)

Improper Input Validation vulnerability in Apache Zeppelin.

By adding relative path indicators (e.g ..), attackers can see the contents for any files in the filesystem that the server account can access. This issue affects Apache Zeppelin from 0.9.0 before 0.11.0.

Users are recommended to upgrade to version 0.11.0, which fixes the issue.

References

github.com/advisories/GHSA-g64r-xf39-q4p5
github.com/apache/zeppelin
github.com/apache/zeppelin/commit/f025a697c1d1d0264064d5adf6cb0b20d85041b6
github.com/apache/zeppelin/pull/4632
lists.apache.org/thread/c0zfjnow3oc3dzc8w5rbkzj8lqj5jm5x
nvd.nist.gov/vuln/detail/CVE-2024-31860

Code Behaviors & Features

Detect and mitigate CVE-2024-31860 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →