Apache Zeppelin security advisories

Security information for Apache Zeppelin

Reporting

Do you want disclose a potential security issue for Apache Zeppelin? You can read more about the projects’ security policy on their security page, and email your report to the Apache Zeppelin Security Team.

Advisories

This section is experimental: it provides advisories since 2023 and may lag behind the official CVE publications. It may also lack details found on the project security page. If you have any feedback on how you would like this data to be provided, you are welcome to reach out on our public mailinglist or privately on security@apache.org

Arbitrary file read by adding malicious JDBC connection string

CVE-2024-52279 [CVE] [CVE json] [OSV json]

Last updated: 2025-08-03T10:01:35.245Z

Affected

  • Apache Zeppelin from 0.11.1 before 0.12.0

Description

Improper Input Validation vulnerability in Apache Zeppelin. The fix for JDBC URL validation in CVE-2024-31864 did not account for URL encoded input.

This issue affects Apache Zeppelin: from 0.11.1 before 0.12.0.

Users are recommended to upgrade to version 0.12.0, which fixes the issue.

References

Credits

  • H Ming (finder)

Command Injection via CSWSH

CVE-2024-51775 [CVE] [CVE json] [OSV json]

Last updated: 2025-08-03T10:14:50.764Z

Affected

  • Apache Zeppelin from 0.11.1 before 0.12.0

Description

Missing Origin Validation in WebSockets vulnerability in Apache Zeppelin.

The attacker could access the Zeppelin server from another origin without any restriction, and get internal information about paragraphs. 

This issue affects Apache Zeppelin: from 0.11.1 before 0.12.0.

Users are recommended to upgrade to version 0.12.0, which fixes the issue.

References

Credits

  • Calum Hutton (finder)

XSS in the Helium module

CVE-2024-41177 [CVE] [CVE json] [OSV json]

Last updated: 2025-08-03T10:09:33.254Z

Affected

  • Apache Zeppelin before 0.12.0

Description

Incomplete Blacklist to Cross-Site Scripting vulnerability in Apache Zeppelin.

This issue affects Apache Zeppelin: before 0.12.0.

Users are recommended to upgrade to version 0.12.0, which fixes the issue.

References

Credits

  • H Ming (finder)

raft directory listing and file read

CVE-2024-41169 [CVE] [CVE json] [OSV json]

Last updated: 2025-07-12T16:22:30.823Z

Affected

  • Apache Zeppelin from 0.10.1 before 0.12.0

Description

The attacker can use the raft server protocol in an unauthenticated way. The attacker can see the server's resources, including directories and files.

This issue affects Apache Zeppelin: from 0.10.1 up to 0.12.0.

Users are recommended to upgrade to version 0.12.0, which fixes the issue by removing the Cluster Interpreter.

References

Credits

XSS vulnerability in the helium module

CVE-2024-31868 [CVE] [CVE json] [OSV json]

Last updated: 2024-10-03T12:35:14.839Z

Affected

  • Apache Zeppelin from 0.8.2 before 0.11.1

Description

Improper Encoding or Escaping of Output vulnerability in Apache Zeppelin.

The attackers can modify helium.json and exposure XSS attacks to normal users.

This issue affects Apache Zeppelin: from 0.8.2 before 0.11.1.

Users are recommended to upgrade to version 0.11.1, which fixes the issue.

References

Credits

  • H Ming (finder)

LDAP search filter query Injection Vulnerability

CVE-2024-31867 [CVE] [CVE json] [OSV json]

Last updated: 2024-04-09T16:15:46.165Z

Affected

  • Apache Zeppelin from 0.8.2 before 0.11.1

Description

Improper Input Validation vulnerability in Apache Zeppelin.

The attackers can execute malicious queries by setting improper configuration properties to LDAP search filter.

This issue affects Apache Zeppelin: from 0.8.2 before 0.11.1.

Users are recommended to upgrade to version 0.11.1, which fixes the issue.

References

Credits

  • Qing Xu (finder)

Interpreter download command does not escape malicious code injection

CVE-2024-31866 [CVE] [CVE json] [OSV json]

Last updated: 2024-04-09T16:09:09.746Z

Affected

  • Apache Zeppelin from 0.8.2 before 0.11.1

Description

Improper Encoding or Escaping of Output vulnerability in Apache Zeppelin.

The attackers can execute shell scripts or malicious code by overriding configuration like ZEPPELIN_INTP_CLASSPATH_OVERRIDES.

This issue affects Apache Zeppelin: from 0.8.2 before 0.11.1.

Users are recommended to upgrade to version 0.11.1, which fixes the issue.

References

Credits

Cron arbitrary user impersonation with improper privileges

CVE-2024-31865 [CVE] [CVE json] [OSV json]

Last updated: 2024-04-09T16:07:34.123Z

Affected

  • Apache Zeppelin from 0.8.2 before 0.11.1

Description

Improper Input Validation vulnerability in Apache Zeppelin.

The attackers can call updating cron API with invalid or improper privileges so that the notebook can run with the privileges.

This issue affects Apache Zeppelin: from 0.8.2 before 0.11.1.

Users are recommended to upgrade to version 0.11.1, which fixes the issue.

References

Credits

Remote code execution by adding malicious JDBC connection string

CVE-2024-31864 [CVE] [CVE json] [OSV json]

Last updated: 2024-04-11T07:54:22.052Z

Affected

  • Apache Zeppelin before 0.11.1

Description

Improper Control of Generation of Code (‘Code Injection’) vulnerability in Apache Zeppelin.

The attacker can inject sensitive configuration or malicious code when connecting MySQL database via JDBC driver.

This issue affects Apache Zeppelin: before 0.11.1.

Users are recommended to upgrade to version 0.11.1, which fixes the issue.

References

Credits

  • rg (finder)
  • Nbxiglk (finder)

Replacing other users notebook, bypassing any permissions

CVE-2024-31863 [CVE] [CVE json] [OSV json]

Last updated: 2024-04-09T10:25:26.871Z

Affected

  • Apache Zeppelin from 0.10.1 before 0.11.0

Description

Authentication Bypass by Spoofing vulnerability by replacing to exsiting notes in Apache Zeppelin.

This issue affects Apache Zeppelin: from 0.10.1 before 0.11.0.

Users are recommended to upgrade to version 0.11.0, which fixes the issue.

References

Credits

Denial of service with invalid notebook name

CVE-2024-31862 [CVE] [CVE json] [OSV json]

Last updated: 2024-04-09T09:40:37.681Z

Affected

  • Apache Zeppelin from 0.10.1 before 0.11.0

Description

Improper Input Validation vulnerability in Apache Zeppelin when creating a new note from Zeppelin’s UI.

This issue affects Apache Zeppelin: from 0.10.1 before 0.11.0.

Users are recommended to upgrade to version 0.11.0, which fixes the issue.

References

Credits

Path traversal vulnerability

CVE-2024-31860 [CVE] [CVE json] [OSV json]

Last updated: 2025-05-06T13:12:30.032Z

Affected

  • Apache Zeppelin from 0.9.0 before 0.11.0

Description

Improper Input Validation vulnerability in Apache Zeppelin.

By adding relative path indicators(E.g ..), attackers can see the contents for any files in the filesystem that the server account can access. 

This issue affects Apache Zeppelin: from 0.9.0 before 0.11.0.

Users are recommended to upgrade to version 0.11.0, which fixes the issue.

References

Credits

  • Kai Zhao (finder)

connecting to a malicious SAP server allowed it to perform XXE

CVE-2022-47894 [CVE] [CVE json] [OSV json]

Last updated: 2024-04-09T09:29:15.865Z

Affected

  • Apache Zeppelin SAP from 0.8.0 before 0.11.0

Description

Improper Input Validation vulnerability in Apache Zeppelin SAP.

This issue affects Apache Zeppelin SAP: from 0.8.0 before 0.11.0.

As this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users.

For more information, the fix already was merged in the source code but Zeppelin decided to retire the SAP component

NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

References

Credits

  • kuiplatain@knownsec 404 Team (finder)

Stored XSS in note permissions

CVE-2022-46870 [CVE] [CVE json] [OSV json]

Last updated: 2022-12-16T12:54:56.815Z

Affected

  • Apache Zeppelin before 0.8.2

Description

An Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Apache Zeppelin allows logged-in users to execute arbitrary javascript in other users’ browsers.

This issue affects Apache Zeppelin before 0.8.2. Users are recommended to upgrade to a supported version of Zeppelin.

References

CSRF vulnerability in the Credentials page

CVE-2021-28656 [CVE] [CVE json] [OSV json]

Last updated: 2024-04-09T09:12:56.855Z

Affected

  • Apache Zeppelin through 0.9.0

Description

Cross-Site Request Forgery (CSRF) vulnerability in Credential page of Apache Zeppelin allows an attacker to submit malicious request. This issue affects Apache Zeppelin Apache Zeppelin version 0.9.0 and prior versions.

References

Credits

  • Jiang Qingzhi (finder)

Arbitrary file deletion vulnerability

CVE-2021-28655 [CVE] [CVE json] [OSV json]

Last updated: 2022-12-20T09:49:02.814Z

Affected

  • Apache Zeppelin through 0.9.0

Description

The improper Input Validation vulnerability in “”Move folder to Trash” feature of Apache Zeppelin allows an attacker to delete the arbitrary files. This issue affects Apache Zeppelin Apache Zeppelin version 0.9.0 and prior versions.

References

Credits

  • Kai Zhao (finder)

Cross Site Scripting in markdown interpreter

CVE-2021-27578 [CVE] [CVE json] [OSV json]

Last updated: 2021-09-02T16:11:07.660Z

Affected

  • Apache Zeppelin from Apache Zeppelin before 0.9.0

Description

Cross Site Scripting vulnerability in markdown interpreter of Apache Zeppelin allows an attacker to inject malicious scripts. This issue affects Apache Zeppelin Apache Zeppelin versions prior to 0.9.0.

References

Credits

  • Apache Zeppelin would like to thank Paulo Pacheco for reporting this issue

Notebook permissions bypass

CVE-2020-13929 [CVE] [CVE json] [OSV json]

Last updated: 2021-09-02T16:10:15.351Z

Affected

  • Apache Zeppelin from Apache Zeppelin through 0.9.0

Description

Authentication bypass vulnerability in Apache Zeppelin allows an attacker to bypass Zeppelin authentication mechanism to act as another user. This issue affects Apache Zeppelin Apache Zeppelin version 0.9.0 and prior versions.

References

Credits

  • Apache Zeppelin would like to thank David Woodhouse for reporting this issue

bash command injection in spark interpreter

CVE-2019-10095 [CVE] [CVE json] [OSV json]

Last updated: 2022-12-08T11:51:05.587Z

Affected

  • Apache Zeppelin from Apache Zeppelin through 0.9.0

Description

bash command injection vulnerability in Apache Zeppelin allows an attacker to inject system commands into Spark interpreter settings. This issue affects Apache Zeppelin Apache Zeppelin version 0.9.0 and prior versions.

References

Credits

  • Apache Zeppelin would like to thank HERE Security team for reporting this issue