CVE-2024-31860

EUVD-2024-1201
Improper Input Validation vulnerability in Apache Zeppelin.

By adding relative path indicators(E.g ..), attackers can see the contents for any files in the filesystem that the server account can access. 
This issue affects Apache Zeppelin: from 0.9.0 before 0.11.0.

Users are recommended to upgrade to version 0.11.0, which fixes the issue.
Path Traversal
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
6.5 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CISA-ADPADP
6.5 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 72%
Affected Products (NVD)
VendorProductVersion
apachezeppelin
0.9.0 ≤
𝑥
< 0.11.0
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/apache/zeppelin/pull/4632
https://lists.apache.org/thread/c0zfjnow3oc3dzc8w5rbkzj8lqj5jm5x
http://www.openwall.com/lists/oss-security/2024/04/09/2
https://github.com/apache/zeppelin/pull/4632
https://lists.apache.org/thread/c0zfjnow3oc3dzc8w5rbkzj8lqj5jm5x