CVE-2024-31867 — Apache Zeppelin: LDAP search filter query Injection Vulnerability

Description

Improper Input Validation vulnerability in Apache Zeppelin. The attackers can execute malicious queries by setting improper configuration properties to LDAP search filter. This issue affects Apache Zeppelin: from 0.8.2 before 0.11.1. Users are recommended to upgrade to version 0.11.1, which fixes the issue.

How to fix CVE-2024-31867

To remediate CVE-2024-31867, upgrade the affected package to a fixed version below.

—upgrade to 0.11.1 or later

Is CVE-2024-31867 being exploited?

Low — EPSS is 0.9%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

>= 0.8.2, < 0.11.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.9	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

References (6)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2024-31867
PATCHgithub.com/apache/zeppelin
WEBgithub.com/apache/zeppelin/commit/65d0bcc1ee8ec3ec372d0a71ab513cd20e6522a0
WEBgithub.com/apache/zeppelin/pull/4714
WEB