CVE-2024-31865: Apache Zeppelin: Cron arbitrary user impersonation with improper privileges

April 9, 2024 (updated April 10, 2024)

Improper Input Validation vulnerability in Apache Zeppelin.

The attackers can call updating cron API with invalid or improper privileges so that the notebook can run with the privileges.

This issue affects Apache Zeppelin: from 0.8.2 before 0.11.1.

Users are recommended to upgrade to version 0.11.1, which fixes the issue.

References

github.com/advisories/GHSA-g44m-x5h7-fr5q
github.com/apache/zeppelin
github.com/apache/zeppelin/commit/49e2740a1d83d58d2401ccf175fc91ffebfb0892
github.com/apache/zeppelin/pull/4631
lists.apache.org/thread/slm1sf0slwc11f4m4r0nd6ot2rf7w81l
nvd.nist.gov/vuln/detail/CVE-2024-31865

Detect and mitigate CVE-2024-31865 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →