CVE-2024-31863: Apache Zeppelin: Replacing other users notebook, bypassing any permissions
Severity: moderate Affected versions: - Apache Zeppelin 0.10.1 before 0.11.0 Description: Authentication Bypass by Spoofing vulnerability by replacing to exsiting notes in Apache Zeppelin.This issue affects Apache Zeppelin: from 0.10.1 before 0.11.0. Users are recommended to upgrade to version 0.11.0, which fixes the issue. Credit: Esa Hiltunen (finder) https://teragrep.com (finder) References: https://zeppelin.apache.org/ https://www.cve.org/CVERecord?id=CVE-2024-31863
CVE-2024-31862: Apache Zeppelin: Denial of service with invalid notebook name
Severity: moderate Affected versions: - Apache Zeppelin 0.10.1 before 0.11.0 Description: Improper Input Validation vulnerability in Apache Zeppelin when creating a new note from Zeppelin's UI.This issue affects Apache Zeppelin: from 0.10.1 before 0.11.0. Users are recommended to upgrade to version 0.11.0, which fixes the issue. Credit: Esa Hiltunen (finder) https://teragrep.com (finder) References: https://github.com/apache/zeppelin/pull/4632 https://zeppelin.apache.org/ https://www.cve.org/CVERecord?id=CVE-2024-31862
CVE-2022-47894: Apache Zeppelin SAP: connecting to a malicious SAP server allowed it to perform XXE
Severity: moderate Affected versions: - Apache Zeppelin SAP 0.8.0 before 0.11.0 Description: Improper Input Validation vulnerability in Apache Zeppelin SAP.This issue affects Apache Zeppelin SAP: from 0.8.0 before 0.11.0. As this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users. For more information, the fix already was merged in the source code but Zeppelin decided to retire the SAP component NOTE: This vulnerability only affects products that are no longer supported by the maintainer. This issue is being tracked as ZEPPELIN-5665 Credit: kuiplatain@knownsec 404 Team (finder) References: https://github.com/apache/zeppelin/pull/4302 https://zeppelin.apache.org/ https://www.cve.org/CVERecord?id=CVE-2022-47894 https://issues.apache.org/jira/browse/ZEPPELIN-5665
CVE-2021-28656: Apache Zeppelin: CSRF vulnerability in the Credentials page
Severity: low Affected versions: - Apache Zeppelin through 0.9.0 Description: Cross-Site Request Forgery (CSRF) vulnerability in Credential page of Apache Zeppelin allows an attacker to submit malicious request. This issue affects Apache Zeppelin Apache Zeppelin version 0.9.0 and prior versions. Credit: Jiang Qingzhi (finder) References: https://zeppelin.apache.org/ https://www.cve.org/CVERecord?id=CVE-2021-28656
CVE-2024-31860: Apache Zeppelin: Path traversal vulnerability
Severity: low Affected versions: - Apache Zeppelin 0.9.0 before 0.11.0 Description: Improper Input Validation vulnerability in Apache Zeppelin. By adding relative path indicators(E.g ..), attackers can see the contents for any files in the filesystem that the server account can access. This issue affects Apache Zeppelin: from 0.9.0 before 0.11.0. Users are recommended to upgrade to version 0.11.0, which fixes the issue. Credit: Kai Zhao (finder) References: https://github.com/apache/zeppelin/pull/4632 https://zeppelin.apache.org/ https://www.cve.org/CVERecord?id=CVE-2024-31860
Re: Shell interpreter in v0.11.1 is not installed
Hello, Thank you for checking it. For 0.11.1, it was obliterated including deploying the 0.11.1 binary to the maven repository. Thus, installing it via install-interpreter.sh is impossible as well. Unfortunately, we don't plan to include it on official deployments until all shell interpreter security issues are resolved. For the commit, you are right it's the only commit in the master repository. However, we have one more commit as a hotfix in the branch-0.11. - https://github.com/apache/zeppelin/commit/9a51785a3a86d93888a0d959815b097ba41b35d5 I'm also preparing how to include it when you build it by yourself. Thank you for your interest. Moreover, I appreciate it if you shared your experience of how you are using shell interpreter. We can also consider for providing the feature natively, not using shell interpreter. Hope this helps you. Best regards, Jongyoul Lee 2024년 4월 9일 (화) 오전 7:20, Nils Glueck 님이 작성: > Hello, > > after switching from Zeppelin 0.11.0 to version 0.11.1, I noticed that > the Shell interpreter had disappeared from the config, while my Docker > file remained the same (using netinst binary). Also, I noted at least > one commit related to somewhat removal of Shell interpreter.[1] > > 1) Am I missing something, or has the Shell interpreter been removed > from the regular netinst binary build? > 2) I am using netinst Zeppelin 0.11.1 installation, followed by "RUN > ./bin/install-interpreter.sh --name shell", which confirms that Shell > interpreter has been installed. However, it does not show up when > checking the Interpreter config web page of Zeppelin. This can be > observed only after the recent switch from 0.11.0 to 0.11.1. I do see > Interpreters angukar, flink, flink-cmd, influxdb, jupyter, md, python, > r, spark, spark-submit, but no sh unfortunately. Can you reproduce? Is > that expected behavior? > > Thanks for comments or clearification. > > [1] > > https://github.com/apache/zeppelin/commit/194577f49aa77e9ff4117affdba65ed02a8bcc7c > > -- Best regards, Jongyoul Lee
Shell interpreter in v0.11.1 is not installed
Hello, after switching from Zeppelin 0.11.0 to version 0.11.1, I noticed that the Shell interpreter had disappeared from the config, while my Docker file remained the same (using netinst binary). Also, I noted at least one commit related to somewhat removal of Shell interpreter.[1] 1) Am I missing something, or has the Shell interpreter been removed from the regular netinst binary build? 2) I am using netinst Zeppelin 0.11.1 installation, followed by "RUN ./bin/install-interpreter.sh --name shell", which confirms that Shell interpreter has been installed. However, it does not show up when checking the Interpreter config web page of Zeppelin. This can be observed only after the recent switch from 0.11.0 to 0.11.1. I do see Interpreters angukar, flink, flink-cmd, influxdb, jupyter, md, python, r, spark, spark-submit, but no sh unfortunately. Can you reproduce? Is that expected behavior? Thanks for comments or clearification. [1] https://github.com/apache/zeppelin/commit/194577f49aa77e9ff4117affdba65ed02a8bcc7c