CVE-2024-31861: Code injection in Apache Zeppelin Shell

April 11, 2024 (updated May 28, 2024)

Improper Control of Generation of Code (‘Code Injection’) vulnerability in Apache Zeppelin.

The attackers can use Shell interpreter as a code generation gateway, and execute the generated code as a normal way. This issue affects Apache Zeppelin: from 0.10.1 before 0.11.1.

Users are recommended to upgrade to version 0.11.1, which doesn’t have Shell interpreter by default.

References

github.com/advisories/GHSA-8pfj-w89w-m24x
github.com/apache/zeppelin
github.com/apache/zeppelin/pull/4708
lists.apache.org/thread/99clvqrht5l5r6kzjzwg2kj94boc9sfh
nvd.nist.gov/vuln/detail/CVE-2024-31861

Detect and mitigate CVE-2024-31861 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →