CVE-2024-31865

CVE-2024-31865: Apache Zeppelin: Cron arbitrary user impersonation with improper privileges

Vendor Apache Software Foundation

Product Apache Zeppelin

Weakness CWE-20 · Input validation

Published April 9, 2024

Last update February 13, 2025

View on NVD All CVEs

CVSS base score

—

What the vulnerability does

Description

Improper Input Validation vulnerability in Apache Zeppelin. The attackers can call updating cron API with invalid or improper privileges so that the notebook can run with the privileges. This issue affects Apache Zeppelin: from 0.8.2 before 0.11.1. Users are recommended to upgrade to version 0.11.1, which fixes the issue.

Key dates

Disclosure timeline

April 9, 2024 CVE published

February 13, 2025 Record updated