Description

bash command injection vulnerability in Apache Zeppelin allows an attacker to inject system commands into Spark interpreter settings. This issue affects Apache Zeppelin Apache Zeppelin version 0.9.0 and prior versions.

Remediation

References

http://www.openwall.com/lists/oss-security/2021/09/02/1

https://lists.apache.org/thread.html/rd56389ba9cab30a6c976b9a4a6df0f85cbe8fba6a60a3cf6e3ba716b%40%3Cusers.zeppelin.apache.org%3E

https://lists.apache.org/thread.html/rdf06e8423833b3daadc30c56a2ff47c48920864d5199476daa897208%40%3Cannounce.apache.org%3E

https://lists.apache.org/thread.html/rdf06e8423833b3daadc30c56a2ff47c48920864d5199476daa897208%40%3Cusers.zeppelin.apache.org%3E

https://lists.apache.org/thread.html/rdf06e8423833b3daadc30c56a2ff47c48920864d5199476daa897208%40%3Cusers.zeppelin.apache.org%3E

https://security.gentoo.org/glsa/202311-04

Related Vulnerabilities

CVE-2021-21413 Vulnerability in npm package isolated-vm

CVE-2020-15119 Vulnerability in maven package org.webjars.bower:auth0-lock

CVE-2021-37578 Vulnerability in maven package org.apache.juddi:juddi-core

CVE-2021-46440 Vulnerability in npm package strapi

CVE-2019-16552 Vulnerability in maven package com.sonyericsson.hudson.plugins.gerrit:gerrit-trigger

Severity

Critical

Classification

CWE-77 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Mailing List Third Party Advisory Vendor Advisory