CVE-2024-31860 — Apache Zeppelin Path Traversal vulnerability

Description

Improper Input Validation vulnerability in Apache Zeppelin. By adding relative path indicators (e.g `..`), attackers can see the contents for any files in the filesystem that the server account can access. This issue affects Apache Zeppelin from 0.9.0 before 0.11.0. Users are recommended to upgrade to version 0.11.0, which fixes the issue.

How to fix CVE-2024-31860

To remediate CVE-2024-31860, upgrade the affected package to a fixed version below.

—upgrade to 0.11.0 or later

Is CVE-2024-31860 being exploited?

Low — EPSS is 0.6%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

>= 0.9.0, < 0.11.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References (6)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2024-31860
PATCHgithub.com/apache/zeppelin
WEBgithub.com/apache/zeppelin/commit/f025a697c1d1d0264064d5adf6cb0b20d85041b6
WEBgithub.com/apache/zeppelin/pull/4632
WEB