CVE-2024-31865 - Vulnerability Details - OpenCVE

Improper Input Validation vulnerability in Apache Zeppelin. The attackers can call updating cron API with invalid or improper privileges so that the notebook can run with the privileges. This issue affects Apache Zeppelin: from 0.8.2 before 0.11.1. Users are recommended to upgrade to version 0.11.1, which fixes the issue.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable yes

Technical Impact partial

Vendors	Products
Apache	Zeppelin

No data.

No data.

References

Link	Providers
http://www.openwall.com/lists/oss-security/2024/04/09/9
https://github.com/apache/zeppelin/pull/4631
https://lists.apache.org/thread/slm1sf0slwc11f4m4r0nd6ot2rf7w81l

History

Thu, 13 Feb 2025 18:00:00 +0000

Type	Values Removed	Values Added
Description	Improper Input Validation vulnerability in Apache Zeppelin. The attackers can call updating cron API with invalid or improper privileges so that the notebook can run with the privileges. This issue affects Apache Zeppelin: from 0.8.2 before 0.11.1. Users are recommended to upgrade to version 0.11.1, which fixes the issue.	Improper Input Validation vulnerability in Apache Zeppelin. The attackers can call updating cron API with invalid or improper privileges so that the notebook can run with the privileges. This issue affects Apache Zeppelin: from 0.8.2 before 0.11.1. Users are recommended to upgrade to version 0.11.1, which fixes the issue.

MITRE

Status: PUBLISHED

Assigner: apache

Published: 2024-04-09T16:07:36.358Z

Updated: 2025-02-13T17:48:06.867Z

Reserved: 2024-04-06T11:50:47.384Z

Link: CVE-2024-31865

Vulnrichment

Updated: 2024-04-22T18:48:29.121Z

NVD

Status : Awaiting Analysis

Published: 2024-04-09T16:15:08.213

Modified: 2025-02-13T18:18:00.710

Link: CVE-2024-31865

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-31865", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2024-04-06T11:50:47.384Z", "datePublished": "2024-04-09T16:07:36.358Z", "dateUpdated": "2025-02-13T17:48:06.867Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://repo.maven.apache.org/maven2", "defaultStatus": "unaffected", "packageName": "org.apache.zeppelin:zeppelin-server", "product": "Apache Zeppelin", "vendor": "Apache Software Foundation", "versions": [{"lessThan": "0.11.1", "status": "affected", "version": "0.8.2", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Esa Hiltunen"}, {"lang": "en", "type": "finder", "value": "https://teragrep.com"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Improper Input Validation vulnerability in Apache Zeppelin.</p><p>The attackers can call updating cron API with invalid or improper privileges so that the notebook can run with the privileges.</p><p>This issue affects Apache Zeppelin: from 0.8.2 before 0.11.1.</p><p>Users are recommended to upgrade to version 0.11.1, which fixes the issue.</p>"}], "value": "Improper Input Validation vulnerability in Apache Zeppelin.\n\nThe attackers can call updating cron API with invalid or improper privileges so that the notebook can run with the privileges.\n\nThis issue affects Apache Zeppelin: from 0.8.2 before 0.11.1.\n\nUsers are recommended to upgrade to version 0.11.1, which fixes the issue."}], "metrics": [{"other": {"content": {"text": "moderate"}, "type": "Textual description of severity"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "description": "CWE-20 Improper Input Validation", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2024-05-01T18:11:41.213Z"}, "references": [{"tags": ["patch"], "url": "https://github.com/apache/zeppelin/pull/4631"}, {"tags": ["vendor-advisory"], "url": "https://lists.apache.org/thread/slm1sf0slwc11f4m4r0nd6ot2rf7w81l"}, {"url": "http://www.openwall.com/lists/oss-security/2024/04/09/9"}], "source": {"discovery": "UNKNOWN"}, "title": "Apache Zeppelin: Cron arbitrary user impersonation with improper privileges", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2024-31865", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-04-22T18:48:59.403032Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:apache:zeppelin:0.8.2:*:*:*:*:*:*:*"], "vendor": "apache", "product": "zeppelin", "versions": [{"status": "affected", "version": "0.8.2"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T17:36:49.248Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T01:59:49.913Z"}, "title": "CVE Program Container", "references": [{"tags": ["patch", "x_transferred"], "url": "https://github.com/apache/zeppelin/pull/4631"}, {"tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.apache.org/thread/slm1sf0slwc11f4m4r0nd6ot2rf7w81l"}, {"url": "http://www.openwall.com/lists/oss-security/2024/04/09/9", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-31865", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2024-04-06T11:50:47.384Z", "datePublished": "2024-04-09T16:07:36.358Z", "dateUpdated": "2024-06-04T17:36:49.248Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://repo.maven.apache.org/maven2", "defaultStatus": "unaffected", "packageName": "org.apache.zeppelin:zeppelin-server", "product": "Apache Zeppelin", "vendor": "Apache Software Foundation", "versions": [{"lessThan": "0.11.1", "status": "affected", "version": "0.8.2", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Esa Hiltunen"}, {"lang": "en", "type": "finder", "value": "https://teragrep.com"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Improper Input Validation vulnerability in Apache Zeppelin.</p><p>The attackers can call updating cron API with invalid or improper privileges so that the notebook can run with the privileges.</p><p>This issue affects Apache Zeppelin: from 0.8.2 before 0.11.1.</p><p>Users are recommended to upgrade to version 0.11.1, which fixes the issue.</p>"}], "value": "Improper Input Validation vulnerability in Apache Zeppelin.\n\nThe attackers can call updating cron API with invalid or improper privileges so that the notebook can run with the privileges.\n\nThis issue affects Apache Zeppelin: from 0.8.2 before 0.11.1.\n\nUsers are recommended to upgrade to version 0.11.1, which fixes the issue.\n\n"}], "metrics": [{"other": {"content": {"text": "moderate"}, "type": "Textual description of severity"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "description": "CWE-20 Improper Input Validation", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2024-04-09T16:07:36.358Z"}, "references": [{"tags": ["patch"], "url": "https://github.com/apache/zeppelin/pull/4631"}, {"tags": ["vendor-advisory"], "url": "https://lists.apache.org/thread/slm1sf0slwc11f4m4r0nd6ot2rf7w81l"}, {"url": "http://www.openwall.com/lists/oss-security/2024/04/09/9"}], "source": {"discovery": "UNKNOWN"}, "title": "Apache Zeppelin: Cron arbitrary user impersonation with improper privileges", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2024-31865", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-04-22T18:48:59.403032Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:apache:zeppelin:0.8.2:*:*:*:*:*:*:*"], "vendor": "apache", "product": "zeppelin", "versions": [{"status": "affected", "version": "0.8.2"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-04-22T18:48:29.121Z"}, "title": "CISA ADP Vulnrichment"}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Input Validation vulnerability in Apache Zeppelin.\n\nThe attackers can call updating cron API with invalid or improper privileges so that the notebook can run with the privileges.\n\nThis issue affects Apache Zeppelin: from 0.8.2 before 0.11.1.\n\nUsers are recommended to upgrade to version 0.11.1, which fixes the issue."}, {"lang": "es", "value": "Vulnerabilidad de validaci\u00f3n de entrada incorrecta en Apache Zeppelin. Los atacantes pueden solicitar la actualizaci\u00f3n de la API cron con privilegios no v\u00e1lidos o inadecuados para que el port\u00e1til pueda ejecutarse con esos privilegios. Este problema afecta a Apache Zeppelin: desde 0.8.2 antes de 0.11.1. Se recomienda a los usuarios actualizar a la versi\u00f3n 0.11.1, que soluciona el problema."}], "id": "CVE-2024-31865", "lastModified": "2025-02-13T18:18:00.710", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.5, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2024-04-09T16:15:08.213", "references": [{"source": "security@apache.org", "url": "http://www.openwall.com/lists/oss-security/2024/04/09/9"}, {"source": "security@apache.org", "url": "https://github.com/apache/zeppelin/pull/4631"}, {"source": "security@apache.org", "url": "https://lists.apache.org/thread/slm1sf0slwc11f4m4r0nd6ot2rf7w81l"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2024/04/09/9"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/apache/zeppelin/pull/4631"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.apache.org/thread/slm1sf0slwc11f4m4r0nd6ot2rf7w81l"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "security@apache.org", "type": "Secondary"}]}