CVE-2024-31861

Description

Improper Control of Generation of Code ('Code Injection') vulnerability in Apache Zeppelin. The attackers can use Shell interpreter as a code generation gateway, and execute the generated code as a normal way. This issue affects Apache Zeppelin: from 0.10.1 before 0.11.1. Users are recommended to upgrade to version 0.11.1, which doesn't have Shell interpreter by default.

How to fix CVE-2024-31861

To remediate CVE-2024-31861, upgrade the affected package to a fixed version below.

• Maven/org.apache.zeppelin:zeppelin-shell—upgrade to 0.11.1 or later

Is CVE-2024-31861 being exploited?

No exploitation signal available. Neither CISA KEV nor a current EPSS score has been published for CVE-2024-31861.

Affected packages (1)

• >= 0.10.1, < 0.11.1

References (5)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2024-31861
• PATCHgithub.com/apache/zeppelin
• WEBgithub.com/apache/zeppelin/pull/4708
• WEBlists.apache.org/thread/99clvqrht5l5r6kzjzwg2kj94boc9sfh
• WEB