Description

bash command injection vulnerability in Apache Zeppelin allows an attacker to inject system commands into Spark interpreter settings. This issue affects Apache Zeppelin Apache Zeppelin version 0.9.0 and prior versions.

Remediation

References

http://www.openwall.com/lists/oss-security/2021/09/02/1

https://lists.apache.org/thread.html/rd56389ba9cab30a6c976b9a4a6df0f85cbe8fba6a60a3cf6e3ba716b%40%3Cusers.zeppelin.apache.org%3E

https://lists.apache.org/thread.html/rdf06e8423833b3daadc30c56a2ff47c48920864d5199476daa897208%40%3Cannounce.apache.org%3E

https://lists.apache.org/thread.html/rdf06e8423833b3daadc30c56a2ff47c48920864d5199476daa897208%40%3Cusers.zeppelin.apache.org%3E

https://lists.apache.org/thread.html/rdf06e8423833b3daadc30c56a2ff47c48920864d5199476daa897208%40%3Cusers.zeppelin.apache.org%3E

https://security.gentoo.org/glsa/202311-04

Related Vulnerabilities

CVE-2021-27850 Vulnerability in maven package org.apache.tapestry:tapestry-core

CVE-2023-39153 Vulnerability in maven package org.jenkins-ci.plugins:gitlab-oauth

CVE-2020-15170 Vulnerability in maven package com.ctrip.framework.apollo:apollo-adminservice

CVE-2021-3377 Vulnerability in npm package ansi_up

CVE-2020-12265 Vulnerability in maven package org.webjars.npm:decompress-tar

Severity

Critical

Classification

CWE-77 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Mailing List Third Party Advisory Vendor Advisory