GHSA-8pfj-w89w-m24x

Suggest an improvement
Source
https://github.com/advisories/GHSA-8pfj-w89w-m24x
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/04/GHSA-8pfj-w89w-m24x/GHSA-8pfj-w89w-m24x.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-8pfj-w89w-m24x
Aliases
  • CVE-2024-31861
Published
2024-04-11T09:30:56Z
Modified
2024-12-03T06:09:21.028891Z
Summary
Code injection in Apache Zeppelin Shell
Details

Improper Control of Generation of Code ('Code Injection') vulnerability in Apache Zeppelin.

The attackers can use Shell interpreter as a code generation gateway, and execute the generated code as a normal way. This issue affects Apache Zeppelin: from 0.10.1 before 0.11.1.

Users are recommended to upgrade to version 0.11.1, which doesn't have Shell interpreter by default.

Database specific 
{
    "severity": "MODERATE",
    "nvd_published_at": "2024-04-11T09:15:08Z",
    "cwe_ids": [
        "CWE-94"
    ],
    "github_reviewed_at": "2024-05-28T20:18:43Z",
    "github_reviewed": true
}
References

Affected packages

Maven / org.apache.zeppelin:zeppelin-shell

Package

Name
org.apache.zeppelin:zeppelin-shell
View open source insights on deps.dev
Purl
pkg:maven/org.apache.zeppelin/zeppelin-shell

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0.10.1
Fixed
0.11.1

Affected versions

0.*

0.10.1
0.11.0