Re: CVE-2019-10095: Apache Zeppelin: bash command injection in spark interpreter

[Michiel Haisma]

Hi Jeff, others,

Can you please provide additional information regarding this vulnerability. 
Please include the following information:

 * Technical description of vulnerability, how users determine whether they are 
impacted. Maybe this is satisfied by one of the following items:
 * Relevant issue in Zeppelin Jira issue tracker.
 * Link to pull request or commit containing the fix.
 * List of released versions containing the fix.

I would also highly suggest providing these additional details in one of the 
vulnerability databases (e.g. https://nvd.nist.gov/vuln/detail/CVE-2019-10095) 
so that users have a better understanding of the impact and solutions.
NVD - CVE-2019-10095
NVD Analysts use publicly available information to associate vector strings and 
CVSS scores. We also display any CVSS information provided within the CVE List 
from the CNA.
nvd.nist.gov

Many thanks,

Michiel

On 2021/09/02 15:56:50, Jeff Zhang  wrote:
> Description:>
>
> bash command injection vulnerability in Apache Zeppelin allows an attacker to 
> inject system commands into Spark interpreter settings. This issue affects 
> Apache Zeppelin Apache Zeppelin version 0.9.0 and prior versions.>
>
> Credit:>
>
> Apache Zeppelin would like to thank HERE Security team for reporting this 
> issue >
>
>

CVE-2019-10095: Apache Zeppelin: bash command injection in spark interpreter

[Jeff Zhang]

Description:

bash command injection vulnerability in Apache Zeppelin allows an attacker to 
inject system commands into Spark interpreter settings.  This issue affects 
Apache Zeppelin Apache Zeppelin version 0.9.0 and prior versions.

Credit:

Apache Zeppelin would like to thank HERE Security team for reporting this issue