CVE-2024-41169 — Apache Zeppelin exposes server resources to unauthenticated attackers

Description

The attacker can use the raft server protocol in an unauthenticated way. The attacker can see the server's resources, including directories and files. This issue affects Apache Zeppelin: from 0.10.1 up to 0.12.0. Users are recommended to upgrade to version 0.12.0, which fixes the issue by removing the Cluster Interpreter.

How to fix CVE-2024-41169

To remediate CVE-2024-41169, upgrade the affected package to a fixed version below.

—upgrade to 0.12.0 or later
—upgrade to 0.12.0 or later

Is CVE-2024-41169 being exploited?

Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

>= 0.10.1, < 0.12.0
>= 0.10.1, < 0.12.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References (6)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2024-41169
PATCHgithub.com/apache/zeppelin
WEBgithub.com/apache/zeppelin/pull/4841
WEBissues.apache.org/jira/browse/ZEPPELIN-6101
WEB