Apache Zeppelin security advisories
Security information for Apache Zeppelin
Reporting
Do you want disclose a potential security issue for Apache Zeppelin? You can read more about the projects’ security policy on their security page, and email your report to the Apache Zeppelin Security Team.
Advisories
This section is experimental: it provides advisories since 2023 and may lag behind the official CVE publications. It may also lack details found on the project security page. If you have any feedback on how you would like this data to be provided, you are welcome to reach out on our public mailinglist or privately on security@apache.org
Arbitrary file read by adding malicious JDBC connection string
CVE-2024-52279 [CVE] [CVE json] [OSV json]
Last updated: 2025-08-03T10:01:35.245Z
Affected
- Apache Zeppelin from 0.11.1 before 0.12.0
Description
Improper Input Validation vulnerability in Apache Zeppelin. The fix for JDBC URL validation in CVE-2024-31864 did not account for URL encoded input.
This issue affects Apache Zeppelin: from 0.11.1 before 0.12.0.
Users are recommended to upgrade to version 0.12.0, which fixes the issue.
References
- https://github.com/apache/zeppelin/pull/4838
- https://issues.apache.org/jira/browse/ZEPPELIN-6095
- https://www.cve.org/CVERecord?id=CVE-2024-31864
- https://lists.apache.org/thread/dxb98vgrb21rrl3k0fzonpk66onr6o4q
Credits
- H Ming (finder)
Command Injection via CSWSH
CVE-2024-51775 [CVE] [CVE json] [OSV json]
Last updated: 2025-08-03T10:14:50.764Z
Affected
- Apache Zeppelin from 0.11.1 before 0.12.0
Description
Missing Origin Validation in WebSockets vulnerability in Apache Zeppelin.
The attacker could access the Zeppelin server from another origin without any restriction, and get internal information about paragraphs.This issue affects Apache Zeppelin: from 0.11.1 before 0.12.0.
Users are recommended to upgrade to version 0.12.0, which fixes the issue.
References
- https://github.com/apache/zeppelin/pull/4823
- https://lists.apache.org/thread/bckm4y2ld5k5ro7bwh5yxbpxvslw0lm6
Credits
- Calum Hutton (finder)
XSS in the Helium module
CVE-2024-41177 [CVE] [CVE json] [OSV json]
Last updated: 2025-08-03T10:09:33.254Z
Affected
- Apache Zeppelin before 0.12.0
Description
Incomplete Blacklist to Cross-Site Scripting vulnerability in Apache Zeppelin.
This issue affects Apache Zeppelin: before 0.12.0.
Users are recommended to upgrade to version 0.12.0, which fixes the issue.
References
- https://github.com/apache/zeppelin/pull/4755
- https://github.com/apache/zeppelin/pull/4795
- https://lists.apache.org/thread/nwh8vh9f3pnvt04n8z4g2kbddh62blr6
Credits
- H Ming (finder)
raft directory listing and file read
CVE-2024-41169 [CVE] [CVE json] [OSV json]
Last updated: 2025-07-12T16:22:30.823Z
Affected
- Apache Zeppelin from 0.10.1 before 0.12.0
Description
The attacker can use the raft server protocol in an unauthenticated way. The attacker can see the server's resources, including directories and files.
This issue affects Apache Zeppelin: from 0.10.1 up to 0.12.0.
Users are recommended to upgrade to version 0.12.0, which fixes the issue by removing the Cluster Interpreter.
References
- https://github.com/apache/zeppelin/pull/4841
- https://issues.apache.org/jira/browse/ZEPPELIN-6101
- https://lists.apache.org/thread/moyym04993c8owh4h0qj98r43tbo8qdd
Credits
- SuperX superxyyang@gmail.com (finder)
XSS vulnerability in the helium module
CVE-2024-31868 [CVE] [CVE json] [OSV json]
Last updated: 2024-10-03T12:35:14.839Z
Affected
- Apache Zeppelin from 0.8.2 before 0.11.1
Description
Improper Encoding or Escaping of Output vulnerability in Apache Zeppelin.
The attackers can modify helium.json and exposure XSS attacks to normal users.
This issue affects Apache Zeppelin: from 0.8.2 before 0.11.1.
Users are recommended to upgrade to version 0.11.1, which fixes the issue.
References
- https://github.com/apache/zeppelin/pull/4728
- https://lists.apache.org/thread/55mqs673plsxmgnq7fdf2flftpllyf11
Credits
- H Ming (finder)
LDAP search filter query Injection Vulnerability
CVE-2024-31867 [CVE] [CVE json] [OSV json]
Last updated: 2024-04-09T16:15:46.165Z
Affected
- Apache Zeppelin from 0.8.2 before 0.11.1
Description
Improper Input Validation vulnerability in Apache Zeppelin.
The attackers can execute malicious queries by setting improper configuration properties to LDAP search filter.
This issue affects Apache Zeppelin: from 0.8.2 before 0.11.1.
Users are recommended to upgrade to version 0.11.1, which fixes the issue.
References
- https://github.com/apache/zeppelin/pull/4714
- https://lists.apache.org/thread/s4scw8bxdhrjs0kg0lhb68xqd8y9lrtf
Credits
- Qing Xu (finder)
Interpreter download command does not escape malicious code injection
CVE-2024-31866 [CVE] [CVE json] [OSV json]
Last updated: 2024-04-09T16:09:09.746Z
Affected
- Apache Zeppelin from 0.8.2 before 0.11.1
Description
Improper Encoding or Escaping of Output vulnerability in Apache Zeppelin.
The attackers can execute shell scripts or malicious code by overriding configuration like ZEPPELIN_INTP_CLASSPATH_OVERRIDES.
This issue affects Apache Zeppelin: from 0.8.2 before 0.11.1.
Users are recommended to upgrade to version 0.11.1, which fixes the issue.
References
- https://github.com/apache/zeppelin/pull/4715
- https://lists.apache.org/thread/jpkbq3oktopt34x2n5wnhzc2r1410ddd
Credits
- Esa Hiltunen (finder)
- https://teragrep.com (finder)
Cron arbitrary user impersonation with improper privileges
CVE-2024-31865 [CVE] [CVE json] [OSV json]
Last updated: 2024-04-09T16:07:34.123Z
Affected
- Apache Zeppelin from 0.8.2 before 0.11.1
Description
Improper Input Validation vulnerability in Apache Zeppelin.
The attackers can call updating cron API with invalid or improper privileges so that the notebook can run with the privileges.
This issue affects Apache Zeppelin: from 0.8.2 before 0.11.1.
Users are recommended to upgrade to version 0.11.1, which fixes the issue.
References
- https://github.com/apache/zeppelin/pull/4631
- https://lists.apache.org/thread/slm1sf0slwc11f4m4r0nd6ot2rf7w81l
Credits
- Esa Hiltunen (finder)
- https://teragrep.com (finder)
Remote code execution by adding malicious JDBC connection string
CVE-2024-31864 [CVE] [CVE json] [OSV json]
Last updated: 2024-04-11T07:54:22.052Z
Affected
- Apache Zeppelin before 0.11.1
Description
Improper Control of Generation of Code (‘Code Injection’) vulnerability in Apache Zeppelin.
The attacker can inject sensitive configuration or malicious code when connecting MySQL database via JDBC driver.
This issue affects Apache Zeppelin: before 0.11.1.
Users are recommended to upgrade to version 0.11.1, which fixes the issue.
References
- https://github.com/apache/zeppelin/pull/4709
- https://www.cve.org/CVERecord?id=CVE-2020-11974
- https://lists.apache.org/thread/752qdk0rnkd9nqtornz734zwb7xdwcdb
Credits
- rg (finder)
- Nbxiglk (finder)
Replacing other users notebook, bypassing any permissions
CVE-2024-31863 [CVE] [CVE json] [OSV json]
Last updated: 2024-04-09T10:25:26.871Z
Affected
- Apache Zeppelin from 0.10.1 before 0.11.0
Description
Authentication Bypass by Spoofing vulnerability by replacing to exsiting notes in Apache Zeppelin.
This issue affects Apache Zeppelin: from 0.10.1 before 0.11.0.
Users are recommended to upgrade to version 0.11.0, which fixes the issue.
References
Credits
- Esa Hiltunen (finder)
- https://teragrep.com (finder)
Denial of service with invalid notebook name
CVE-2024-31862 [CVE] [CVE json] [OSV json]
Last updated: 2024-04-09T09:40:37.681Z
Affected
- Apache Zeppelin from 0.10.1 before 0.11.0
Description
Improper Input Validation vulnerability in Apache Zeppelin when creating a new note from Zeppelin’s UI.
This issue affects Apache Zeppelin: from 0.10.1 before 0.11.0.
Users are recommended to upgrade to version 0.11.0, which fixes the issue.
References
- https://github.com/apache/zeppelin/pull/4632
- https://lists.apache.org/thread/73xdjx43yg4yz8bd4p3o8vzyybkysmn0
Credits
- Esa Hiltunen (finder)
- https://teragrep.com (finder)
Path traversal vulnerability
CVE-2024-31860 [CVE] [CVE json] [OSV json]
Last updated: 2025-05-06T13:12:30.032Z
Affected
- Apache Zeppelin from 0.9.0 before 0.11.0
Description
Improper Input Validation vulnerability in Apache Zeppelin.
By adding relative path indicators(E.g ..), attackers can see the contents for any files in the filesystem that the server account can access.
This issue affects Apache Zeppelin: from 0.9.0 before 0.11.0.
Users are recommended to upgrade to version 0.11.0, which fixes the issue.
References
- https://github.com/apache/zeppelin/pull/4632
- https://lists.apache.org/thread/c0zfjnow3oc3dzc8w5rbkzj8lqj5jm5x
Credits
- Kai Zhao (finder)
connecting to a malicious SAP server allowed it to perform XXE
CVE-2022-47894 [CVE] [CVE json] [OSV json]
Last updated: 2024-04-09T09:29:15.865Z
Affected
- Apache Zeppelin SAP from 0.8.0 before 0.11.0
Description
Improper Input Validation vulnerability in Apache Zeppelin SAP.
This issue affects Apache Zeppelin SAP: from 0.8.0 before 0.11.0.
As this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users.For more information, the fix already was merged in the source code but Zeppelin decided to retire the SAP component
NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
References
- https://github.com/apache/zeppelin/pull/4302
- https://lists.apache.org/thread/csf4k73kkn3nx58pm0p2qrylbox4fvyy
Credits
- kuiplatain@knownsec 404 Team (finder)
Stored XSS in note permissions
CVE-2022-46870 [CVE] [CVE json] [OSV json]
Last updated: 2022-12-16T12:54:56.815Z
Affected
- Apache Zeppelin before 0.8.2
Description
An Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Apache Zeppelin allows logged-in users to execute arbitrary javascript in other users’ browsers.
This issue affects Apache Zeppelin before 0.8.2. Users are recommended to upgrade to a supported version of Zeppelin.
References
CSRF vulnerability in the Credentials page
CVE-2021-28656 [CVE] [CVE json] [OSV json]
Last updated: 2024-04-09T09:12:56.855Z
Affected
- Apache Zeppelin through 0.9.0
Description
Cross-Site Request Forgery (CSRF) vulnerability in Credential page of Apache Zeppelin allows an attacker to submit malicious request. This issue affects Apache Zeppelin Apache Zeppelin version 0.9.0 and prior versions.
References
Credits
- Jiang Qingzhi (finder)
Arbitrary file deletion vulnerability
CVE-2021-28655 [CVE] [CVE json] [OSV json]
Last updated: 2022-12-20T09:49:02.814Z
Affected
- Apache Zeppelin through 0.9.0
Description
The improper Input Validation vulnerability in “”Move folder to Trash” feature of Apache Zeppelin allows an attacker to delete the arbitrary files. This issue affects Apache Zeppelin Apache Zeppelin version 0.9.0 and prior versions.
References
Credits
- Kai Zhao (finder)
Cross Site Scripting in markdown interpreter
CVE-2021-27578 [CVE] [CVE json] [OSV json]
Last updated: 2021-09-02T16:11:07.660Z
Affected
- Apache Zeppelin from Apache Zeppelin before 0.9.0
Description
Cross Site Scripting vulnerability in markdown interpreter of Apache Zeppelin allows an attacker to inject malicious scripts. This issue affects Apache Zeppelin Apache Zeppelin versions prior to 0.9.0.
References
Credits
- Apache Zeppelin would like to thank Paulo Pacheco for reporting this issue
Notebook permissions bypass
CVE-2020-13929 [CVE] [CVE json] [OSV json]
Last updated: 2021-09-02T16:10:15.351Z
Affected
- Apache Zeppelin from Apache Zeppelin through 0.9.0
Description
Authentication bypass vulnerability in Apache Zeppelin allows an attacker to bypass Zeppelin authentication mechanism to act as another user. This issue affects Apache Zeppelin Apache Zeppelin version 0.9.0 and prior versions.
References
Credits
- Apache Zeppelin would like to thank David Woodhouse for reporting this issue
bash command injection in spark interpreter
CVE-2019-10095 [CVE] [CVE json] [OSV json]
Last updated: 2022-12-08T11:51:05.587Z
Affected
- Apache Zeppelin from Apache Zeppelin through 0.9.0
Description
bash command injection vulnerability in Apache Zeppelin allows an attacker to inject system commands into Spark interpreter settings. This issue affects Apache Zeppelin Apache Zeppelin version 0.9.0 and prior versions.
References
Credits
- Apache Zeppelin would like to thank HERE Security team for reporting this issue