We use cookies to improve your experience on our site.
AVID-2026-R1468
Description
Apache Zeppelin: Remote code execution by adding malicious JDBC connection string (CVE-2024-31864)
Details
Improper Control of Generation of Code (‘Code Injection’) vulnerability in Apache Zeppelin.
The attacker can inject sensitive configuration or malicious code when connecting MySQL database via JDBC driver. This issue affects Apache Zeppelin: before 0.11.1.
Users are recommended to upgrade to version 0.11.1, which fixes the issue.
Reason for inclusion in AVID: CVE-2024-31864 describes remote code execution via code injection in Apache Zeppelin when connecting to MySQL via JDBC, affecting Zeppelin versions < 0.11.1. Zeppelin is a software component used in AI/ML data analysis pipelines, thus a software supply chain element for general-purpose AI systems. It is a security vulnerability (RCE) with explicit details and remediation guidance, supported by multiple references.
References
- NVD entry
- https://github.com/apache/zeppelin/pull/4709
- https://www.cve.org/CVERecord?id=CVE-2020-11974
- https://lists.apache.org/thread/752qdk0rnkd9nqtornz734zwb7xdwcdb
- http://www.openwall.com/lists/oss-security/2024/04/09/8
Affected or Relevant Artifacts
- Developer: Apache Software Foundation
- Deployer: Apache Software Foundation
- Artifact Details:
| Type | Name |
|---|---|
| System | Apache Zeppelin |
Impact
AVID Taxonomy Categorization
- Risk domains: Security
- SEP subcategories: S0100: Software Vulnerability
- Lifecycle stages: L06: Deployment
CWE
| ID | Description |
|---|---|
| CWE-94 | CWE-94 Improper Control of Generation of Code (‘Code Injection’) |
Other information
- Report Type: Advisory
- Credits:
- Date Reported: 2024-04-09
- Version: 0.3.3
- AVID Entry