CVE-2024-31864

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-31864
Improper Control of Generation of Code ('Code Injection') vulnerability in Apache Zeppelin. The attacker can inject sensitive configuration or malicious code when connecting MySQL database via JDBC driver. This issue affects Apache Zeppelin: before 0.11.1. Users are recommended to upgrade to version 0.11.1, which fixes the issue.

9.8 /10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
http://www.openwall.com/lists/oss-security/2024/04/09/8
https://github.com/apache/zeppelin/pull/4709
https://lists.apache.org/thread/752qdk0rnkd9nqtornz734zwb7xdwcdb
https://www.cve.org/CVERecord?id=CVE-2020-11974
http://www.openwall.com/lists/oss-security/2024/04/09/8
https://github.com/apache/zeppelin/pull/4709
https://lists.apache.org/thread/752qdk0rnkd9nqtornz734zwb7xdwcdb
https://www.cve.org/CVERecord?id=CVE-2020-11974
Configurations

No configuration.

History

13 Feb 2025, 18:18

Type Values Removed Values Added
Summary (en) Improper Control of Generation of Code ('Code Injection') vulnerability in Apache Zeppelin. The attacker can inject sensitive configuration or malicious code when connecting MySQL database via JDBC driver. This issue affects Apache Zeppelin: before 0.11.1. Users are recommended to upgrade to version 0.11.1, which fixes the issue. (en) Improper Control of Generation of Code ('Code Injection') vulnerability in Apache Zeppelin. The attacker can inject sensitive configuration or malicious code when connecting MySQL database via JDBC driver. This issue affects Apache Zeppelin: before 0.11.1. Users are recommended to upgrade to version 0.11.1, which fixes the issue.
Information

Published : 2024-04-09 16:15

Updated : 2025-02-13 18:18

NVD link : CVE-2024-31864

Mitre link : CVE-2024-31864

CVE.ORG link : CVE-2024-31864

JSON object : View

Products Affected

No product.

CWE
CWE-94

Improper Control of Generation of Code ('Code Injection')