CVE-2024-31866

CVE-2024-31866: Apache Zeppelin: Interpreter download command does not escape malicious code injection

Vendor Apache Software Foundation

Product Apache Zeppelin

Weakness CWE-116

Published April 9, 2024

Last update February 13, 2025

View on NVD All CVEs

CVSS base score

—

What the vulnerability does

Description

Improper Encoding or Escaping of Output vulnerability in Apache Zeppelin. The attackers can execute shell scripts or malicious code by overriding configuration like ZEPPELIN_INTP_CLASSPATH_OVERRIDES. This issue affects Apache Zeppelin: from 0.8.2 before 0.11.1. Users are recommended to upgrade to version 0.11.1, which fixes the issue.

Key dates

Disclosure timeline

April 9, 2024 CVE published

February 13, 2025 Record updated