Description
Improper Control of Generation of Code ('Code Injection') vulnerability in Apache Zeppelin. The attacker can inject sensitive configuration or malicious code when connecting MySQL database via JDBC driver. This issue affects Apache Zeppelin: before 0.11.1. Users are recommended to upgrade to version 0.11.1, which fixes the issue.
References (5)
Core 5
Core References
Issue Tracking patch
https://github.com/apache/zeppelin/pull/4709
Not Applicable related
https://www.cve.org/CVERecord?id=CVE-2020-11974
Mailing List, Vendor Advisory vendor-advisory
https://lists.apache.org/thread/752qdk0rnkd9nqtornz734zwb7xdwcdb
Scores
CVSS v3
9.8
EPSS
0.0111
EPSS Percentile
78.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
total
Details
CWE
CWE-94
Status
published
Products (2)
apache/zeppelin
< 0.11.1
org.apache.zeppelin/zeppelin-jdbc
0 - 0.11.1Maven
Published
Apr 09, 2024
Tracked Since
Feb 18, 2026