CVE-2019-10095
Bash command injection in Apache Zeppelin
9.8
CRITICAL
CVSS 3.1
EPSS 3.0%
Description
bash command injection vulnerability in Apache Zeppelin allows an attacker to inject system commands into Spark interpreter settings. This issue affects Apache Zeppelin Apache Zeppelin version 0.9.0 and prior versions.
How to fix CVE-2019-10095
To remediate CVE-2019-10095, upgrade the affected package to a fixed version below.
- Maven/org.apache.zeppelin:zeppelin—upgrade to 0.10.0 or later
Is CVE-2019-10095 being exploited?
Low — EPSS is 3.0%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 0.10.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
References (10)
- ADVISORYnvd.nist.gov/vuln/detail/CVE-2019-10095
- PATCHgithub.com/apache/zeppelin
- WEBlists.apache.org/thread.html/rd56389ba9cab30a6c976b9a4a6df0f85cbe8fba6a60a3cf6e3ba716b@%3Cusers.zeppelin.apache.org%3E
- WEBlists.apache.org/thread.html/rd56389ba9cab30a6c976b9a4a6df0f85cbe8fba6a60a3cf6e3ba716b%40%3Cusers.zeppelin.apache.org%3E