CVE-2024-31864

CVE-2024-31864: Apache Zeppelin: Remote code execution by adding malicious JDBC connection string

Vendor Apache Software Foundation

Product Apache Zeppelin

Weakness CWE-94 · Code injection

Published April 9, 2024

Last update November 4, 2025

View on NVD All CVEs

CVSS base score

—

What the vulnerability does

Description

Improper Control of Generation of Code ('Code Injection') vulnerability in Apache Zeppelin. The attacker can inject sensitive configuration or malicious code when connecting MySQL database via JDBC driver. This issue affects Apache Zeppelin: before 0.11.1. Users are recommended to upgrade to version 0.11.1, which fixes the issue.

Key dates

Disclosure timeline

April 9, 2024 CVE published

November 4, 2025 Record updated