CVE-2024-31861

描述

Improper Control of Generation of Code ('Code Injection') vulnerability in Apache Zeppelin. The attackers can use Shell interpreter as a code generation gateway, and execute the generated code as a normal way. This issue affects Apache Zeppelin: from 0.10.1 before 0.11.1. Users are recommended to upgrade to version 0.11.1, which doesn't have Shell interpreter by default.

如何修補 CVE-2024-31861

要修補 CVE-2024-31861,請將受影響套件升級到下列已修補版本。

• Maven/org.apache.zeppelin:zeppelin-shell—升級至 0.11.1 或更新版本

CVE-2024-31861 正在被利用嗎?

目前沒有被利用訊號。CVE-2024-31861 既不在 CISA KEV 也沒有最新的 EPSS 分數。

受影響套件(1)

• >= 0.10.1, < 0.11.1

參考連結(5)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2024-31861
• PATCHgithub.com/apache/zeppelin
• WEBgithub.com/apache/zeppelin/pull/4708
• WEBlists.apache.org/thread/99clvqrht5l5r6kzjzwg2kj94boc9sfh
• WEB