CVE-2024-31862 - Vulnerability Details - OpenCVE

Improper Input Validation vulnerability in Apache Zeppelin when creating a new note from Zeppelin's UI.This issue affects Apache Zeppelin: from 0.10.1 before 0.11.0.

Users are recommended to upgrade to version 0.11.0, which fixes the issue.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00215.

Key SSVC decision points have not yet been added.

Vendors	Products
Apache	Zeppelin

Configuration 1 [-]

cpe:2.3:a:apache:zeppelin:*:*:*:*:*:*:*:*

No data.

No data.

References

Link	Providers
http://www.openwall.com/lists/oss-security/2024/04/09/5
https://github.com/apache/zeppelin/pull/4632
https://lists.apache.org/thread/73xdjx43yg4yz8bd4p3o8vzyybkysmn0

History

Mon, 05 May 2025 21:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Apache Apache zeppelin
Weaknesses		NVD-CWE-noinfo
CPEs		cpe:2.3:a:apache:zeppelin::::::::
Vendors & Products		Apache Apache zeppelin

Thu, 13 Feb 2025 18:00:00 +0000

Type	Values Removed	Values Added
Description	Improper Input Validation vulnerability in Apache Zeppelin when creating a new note from Zeppelin's UI.This issue affects Apache Zeppelin: from 0.10.1 before 0.11.0. Users are recommended to upgrade to version 0.11.0, which fixes the issue.	Improper Input Validation vulnerability in Apache Zeppelin when creating a new note from Zeppelin's UI.This issue affects Apache Zeppelin: from 0.10.1 before 0.11.0. Users are recommended to upgrade to version 0.11.0, which fixes the issue.

Wed, 21 Aug 2024 16:00:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}`

MITRE

Status: PUBLISHED

Assigner: apache

Published: 2024-04-09T09:40:39.495Z

Updated: 2025-02-13T17:48:04.941Z

Reserved: 2024-04-06T11:50:12.789Z

Link: CVE-2024-31862

Vulnrichment

Updated: 2024-08-02T01:59:49.405Z

NVD

Status : Analyzed

Published: 2024-04-09T10:15:08.513

Modified: 2025-05-05T20:46:55.243

Link: CVE-2024-31862

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-31862", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2024-04-06T11:50:12.789Z", "datePublished": "2024-04-09T09:40:39.495Z", "dateUpdated": "2025-02-13T17:48:04.941Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://repo.maven.apache.org/maven2", "defaultStatus": "unaffected", "packageName": "org.apache.zeppelin:zeppelin-server", "product": "Apache Zeppelin", "vendor": "Apache Software Foundation", "versions": [{"lessThan": "0.11.0", "status": "affected", "version": "0.10.1", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Esa Hiltunen"}, {"lang": "en", "type": "finder", "value": "https://teragrep.com"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Input Validation vulnerability in Apache Zeppelin when creating a new note from Zeppelin's UI.<p>This issue affects Apache Zeppelin: from 0.10.1 before 0.11.0.</p><p>Users are recommended to upgrade to version 0.11.0, which fixes the issue.</p>"}], "value": "Improper Input Validation vulnerability in Apache Zeppelin when creating a new note from Zeppelin's UI.This issue affects Apache Zeppelin: from 0.10.1 before 0.11.0.\n\nUsers are recommended to upgrade to version 0.11.0, which fixes the issue."}], "metrics": [{"other": {"content": {"text": "moderate"}, "type": "Textual description of severity"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "description": "CWE-20 Improper Input Validation", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2024-05-01T19:07:45.971Z"}, "references": [{"tags": ["patch"], "url": "https://github.com/apache/zeppelin/pull/4632"}, {"tags": ["vendor-advisory"], "url": "https://lists.apache.org/thread/73xdjx43yg4yz8bd4p3o8vzyybkysmn0"}, {"url": "http://www.openwall.com/lists/oss-security/2024/04/09/5"}], "source": {"discovery": "UNKNOWN"}, "title": "Apache Zeppelin: Denial of service with invalid notebook name", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T01:59:49.405Z"}, "title": "CVE Program Container", "references": [{"tags": ["patch", "x_transferred"], "url": "https://github.com/apache/zeppelin/pull/4632"}, {"tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.apache.org/thread/73xdjx43yg4yz8bd4p3o8vzyybkysmn0"}, {"url": "http://www.openwall.com/lists/oss-security/2024/04/09/5", "tags": ["x_transferred"]}]}, {"affected": [{"vendor": "apache", "product": "zeppelin", "cpes": ["cpe:2.3:a:apache:zeppelin:*:*:*:*:*:*:*:*"], "defaultStatus": "unaffected", "versions": [{"version": "0.10.1", "status": "affected", "lessThan": "0.11.0", "versionType": "semver"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2024-08-21T14:23:58.003132Z", "id": "CVE-2024-31862", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-21T14:30:40.495Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/apache/zeppelin/pull/4632", "tags": ["patch", "x_transferred"]}, {"url": "https://lists.apache.org/thread/73xdjx43yg4yz8bd4p3o8vzyybkysmn0", "tags": ["vendor-advisory", "x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2024/04/09/5", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T01:59:49.405Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2024-31862", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-08-21T14:23:58.003132Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:apache:zeppelin:*:*:*:*:*:*:*:*"], "vendor": "apache", "product": "zeppelin", "versions": [{"status": "affected", "version": "0.10.1", "lessThan": "0.11.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-21T14:26:19.413Z"}}], "cna": {"title": "Apache Zeppelin: Denial of service with invalid notebook name", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Esa Hiltunen"}, {"lang": "en", "type": "finder", "value": "https://teragrep.com"}], "metrics": [{"other": {"type": "Textual description of severity", "content": {"text": "moderate"}}}], "affected": [{"vendor": "Apache Software Foundation", "product": "Apache Zeppelin", "versions": [{"status": "affected", "version": "0.10.1", "lessThan": "0.11.0", "versionType": "semver"}], "packageName": "org.apache.zeppelin:zeppelin-server", "collectionURL": "https://repo.maven.apache.org/maven2", "defaultStatus": "unaffected"}], "references": [{"url": "https://github.com/apache/zeppelin/pull/4632", "tags": ["patch"]}, {"url": "https://lists.apache.org/thread/73xdjx43yg4yz8bd4p3o8vzyybkysmn0", "tags": ["vendor-advisory"]}, {"url": "http://www.openwall.com/lists/oss-security/2024/04/09/5"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "Improper Input Validation vulnerability in Apache Zeppelin when creating a new note from Zeppelin's UI.This issue affects Apache Zeppelin: from 0.10.1 before 0.11.0.\n\nUsers are recommended to upgrade to version 0.11.0, which fixes the issue.\n\n", "supportingMedia": [{"type": "text/html", "value": "Improper Input Validation vulnerability in Apache Zeppelin when creating a new note from Zeppelin's UI.<p>This issue affects Apache Zeppelin: from 0.10.1 before 0.11.0.</p><p>Users are recommended to upgrade to version 0.11.0, which fixes the issue.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-20", "description": "CWE-20 Improper Input Validation"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2024-04-09T09:40:39.495Z"}}}, "cveMetadata": {"cveId": "CVE-2024-31862", "state": "PUBLISHED", "dateUpdated": "2024-08-21T14:30:40.495Z", "dateReserved": "2024-04-06T11:50:12.789Z", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "datePublished": "2024-04-09T09:40:39.495Z", "assignerShortName": "apache"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:zeppelin:*:*:*:*:*:*:*:*", "matchCriteriaId": "5D7D1A27-76A6-4963-95A7-42769DD35CDF", "versionEndExcluding": "0.11.0", "versionStartIncluding": "0.10.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Input Validation vulnerability in Apache Zeppelin when creating a new note from Zeppelin's UI.This issue affects Apache Zeppelin: from 0.10.1 before 0.11.0.\n\nUsers are recommended to upgrade to version 0.11.0, which fixes the issue."}, {"lang": "es", "value": "Vulnerabilidad de validaci\u00f3n de entrada incorrecta en Apache Zeppelin al crear una nueva nota desde la interfaz de usuario de Zeppelin. Este problema afecta a Apache Zeppelin: desde 0.10.1 antes de 0.11.0. Se recomienda a los usuarios actualizar a la versi\u00f3n 0.11.0, que soluciona el problema."}], "id": "CVE-2024-31862", "lastModified": "2025-05-05T20:46:55.243", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2024-04-09T10:15:08.513", "references": [{"source": "security@apache.org", "tags": ["Mailing List"], "url": "http://www.openwall.com/lists/oss-security/2024/04/09/5"}, {"source": "security@apache.org", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/apache/zeppelin/pull/4632"}, {"source": "security@apache.org", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://lists.apache.org/thread/73xdjx43yg4yz8bd4p3o8vzyybkysmn0"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List"], "url": "http://www.openwall.com/lists/oss-security/2024/04/09/5"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/apache/zeppelin/pull/4632"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://lists.apache.org/thread/73xdjx43yg4yz8bd4p3o8vzyybkysmn0"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "security@apache.org", "type": "Secondary"}, {"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}