Improper Input Validation vulnerability in Apache Zeppelin. The fix for JDBC URL validation in CVE-2024-31864 did not account for URL encoded input.

This issue affects Apache Zeppelin: from 0.11.1 before 0.12.0.

Users are recommended to upgrade to version 0.12.0, which fixes the issue.
Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

History

Tue, 05 Aug 2025 18:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:apache:zeppelin:*:*:*:*:*:*:*:*

Tue, 05 Aug 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 04 Aug 2025 08:30:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache zeppelin
Vendors & Products Apache
Apache zeppelin

Sun, 03 Aug 2025 10:15:00 +0000

Type Values Removed Values Added
Description Improper Input Validation vulnerability in Apache Zeppelin. The fix for JDBC URL validation in CVE-2024-31864 did not account for URL encoded input. This issue affects Apache Zeppelin: from 0.11.1 before 0.12.0. Users are recommended to upgrade to version 0.12.0, which fixes the issue.
Title Apache Zeppelin: Arbitrary file read by adding malicious JDBC connection string
Weaknesses CWE-20
References

cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2025-08-05T15:25:06.848Z

Reserved: 2024-11-06T09:19:55.078Z

Link: CVE-2024-52279

cve-icon Vulnrichment

Updated: 2025-08-05T15:24:57.031Z

cve-icon NVD

Status : Analyzed

Published: 2025-08-03T10:15:27.517

Modified: 2025-08-05T18:44:32.057

Link: CVE-2024-52279

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2025-08-04T08:09:15Z