CVE-2024-31860

medium

Description

Improper Input Validation vulnerability in Apache Zeppelin. By adding relative path indicators(E.g ..), attackers can see the contents for any files in the filesystem that the server account can access. This issue affects Apache Zeppelin: from 0.9.0 before 0.11.0. Users are recommended to upgrade to version 0.11.0, which fixes the issue.

References

https://lists.apache.org/thread/c0zfjnow3oc3dzc8w5rbkzj8lqj5jm5x

https://github.com/apache/zeppelin/pull/4632

http://www.openwall.com/lists/oss-security/2024/04/09/2

Details

Source: Mitre, NVD

Published: 2024-04-09

Updated: 2025-05-06

Risk Information

CVSS v2

Base Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

Severity: Medium

CVSS v3

Base Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Severity: Medium

EPSS

EPSS: 0.00269