Chan Ho Lee created ZEPPELIN-6190:
-------------------------------------
Summary: Previous path traversal fix incomplete (CVE-2024-31860)
Key: ZEPPELIN-6190
URL: https://issues.apache.org/jira/browse/ZEPPELIN-6190
Project: Zeppelin
Issue Type: Bug
Reporter: Chan Ho Lee
Assignee: Chan Ho Lee
A similar path traversal issue to CVE-2024-31860 can still be reproduced by
double-encoding `..` (e.g., %252e%252e). This bypasses the existing validation
and allows unintended file access. The issue may be resolved by decoding the
path multiple times before validation.
([~jongyoul] pointed this security issue out to me)
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
