Graphic Design

In Apache Zeppelin versions from 0.8.2 before 0.11.1 an Improper Encoding or Escaping of Output vulnerability CVE-2024-31868 was detected. This vulnerability resides in the improper handling of encoding or escaping output, which enables attackers to manipulate the helium.json file, thereby launching cross-site scripting (XSS) attacks against unsuspecting users. Users are recommended to upgrade to version 0.11.1, which fixes the issue. For more information, visit https://avd.aquasec.com/nvd/2024/cve-2024-31868/.

In Apache Zeppelin versions from 0.8.2 before 0.11.1 an Improper Input Validation vulnerability CVE-2024-31867 was detected. Attackers can exploit the system by tampering with LDAP search filter settings, allowing them to run harmful queries. The issue is resolved in Apache Zeppelin version 0.11.1. For more information, visit https://avd.aquasec.com/nvd/2024/cve-2024-31867/.

In Apache Zeppelin versions ranging from 0.8.2 before 0.11.1 there exists a vulnerability CVE-2024-31866 related to Improper Encoding or Escaping of Output. The attackers can execute shell scripts or malicious code by manipulating configurations such as ZEPPELIN_INTP_CLASSPATH_OVERRIDES, thereby gaining unauthorized access to execute potentially harmful actions. Users are recommended to upgrade to version 0.11.1, which fixes the issue. For more information, visit https://avd.aquasec.com/nvd/2024/cve-2024-31866/.

Authentication Bypass by Spoofing vulnerability CVE-2024-31863 was detected in Apache Zeppelin versions from 0.10.1 before 0.11. It allows attackers to replace existing notes. It is strongly advised that users upgrade to version 0.11.0 to fix this issue. For more information, visit https://avd.aquasec.com/nvd/2024/cve-2024-31863.

in Apache Zeppelin versions from 0.8.2 before 0.11.1 an Improper Input Validation vulnerability CVE-2024-31865 was detected. Attackers can call updating cron API with invalid or improper privileges so that the notebook can run with the privileges. Users are recommended to upgrade to version 0.11.1, which fixes the issue. For more information, visit https://avd.aquasec.com/nvd/2024/cve-2024-31865/.

Improper Control of Code Generation (‘Code Injection’) vulnerability CVE-2024-31864 was detected in all versions of Apache Zeppelin before 0.11.1. This vulnerability allows attackers to inject sensitive configuration or malicious code when connecting MySQL database via Java Database Connectivity driver. The issue is resolved in version 0.11.1. For more information, visit https://avd.aquasec.com/nvd/2024/cve-2024-31864/.

In Apache Zeppelin versions from 0.10.1 before 0.11.0 an Improper Input Validation vulnerability CVE-2024-31862 was detected, particularly when creating a new note through Zeppelin’s user interface. The issue is fixed in version 0.11.0. For more information, visit https://avd.aquasec.com/nvd/2024/cve-2024-31862.

In Apache Zeppelin versions from 0.10.1 before 0.11.1 an exploitable vulnerability CVE-2024-31861 known as “Improper Control of Generation of Code” (‘Code Injection’), was detected. It allows attackers to inject malicious code through the Shell interpreter, potentially leading to the unauthorized execution of commands. Users are recommended to upgrade to version 0.11.1, which doesn’t have Shell interpreter by default. For more information, visit https://avd.aquasec.com/nvd/2024/cve-2024-31861.

In Apache Zeppelin versions from 0.9.0 before 0.11.0 a low severity vulnerability CVE-2024-31860 was detected. Due to the issue, attackers can gain access to files on the server by using symbols that show the file’s location to other files. It’s recommended to upgrade to version 0.11.0 to fix the vulnerability. For more information, visit https://avd.aquasec.com/nvd/2024/cve-2024-31860.