CVE-2024-31865 — Apache Zeppelin: Cron arbitrary user impersonation with improper privileges

Description

Improper Input Validation vulnerability in Apache Zeppelin. The attackers can call updating cron API with invalid or improper privileges so that the notebook can run with the privileges. This issue affects Apache Zeppelin: from 0.8.2 before 0.11.1. Users are recommended to upgrade to version 0.11.1, which fixes the issue.

How to fix CVE-2024-31865

To remediate CVE-2024-31865, upgrade the affected package to a fixed version below.

—upgrade to 0.11.1 or later

Is CVE-2024-31865 being exploited?

Low — EPSS is 0.6%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

>= 0.8.2, < 0.11.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

References (6)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2024-31865
PATCHgithub.com/apache/zeppelin
WEBgithub.com/apache/zeppelin/commit/49e2740a1d83d58d2401ccf175fc91ffebfb0892
WEBgithub.com/apache/zeppelin/pull/4631
WEB