Apache Zeppelin

22 CVEs affecting Apache Zeppelin. Latest disclosed: 2025-08-03. Critical: 3, High: 4.

Top CVEs affecting Apache Zeppelin
CVESeverityScorePublishedSummary
CVE-2024-31866Critical9.82024-04-09Improper Encoding or Escaping of Output vulnerability in Apache Zeppelin. The attackers can execute shell scripts or malicious code by overriding configuratio…
CVE-2024-31864Critical9.82024-04-09Improper Control of Generation of Code ('Code Injection') vulnerability in Apache Zeppelin. The attacker can inject sensitive configuration or malicious code…
CVE-2019-10095Critical9.82021-09-02bash command injection vulnerability in Apache Zeppelin allows an attacker to inject system commands into Spark interpreter settings. This issue affects Apache…
CVE-2018-1317High8.82019-04-23In Apache Zeppelin prior to 0.8.0 the cron scheduler was enabled by default and could allow users to run paragraphs as other users without authentication.
CVE-2017-12619High8.12019-04-23Apache Zeppelin prior to 0.7.3 was vulnerable to session fixation which allowed an attacker to hijack a valid user session. Issue was reported by "stone lone".
CVE-2024-41169High7.52025-07-12The attacker can use the raft server protocol in an unauthenticated way. The attacker can see the server's resources, including directories and files. This is…
CVE-2020-13929High7.52021-09-02Authentication bypass vulnerability in Apache Zeppelin allows an attacker to bypass Zeppelin authentication mechanism to act as another user. This issue affect…
CVE-2024-31867Medium6.52024-04-09Improper Input Validation vulnerability in Apache Zeppelin. The attackers can execute malicious queries by setting improper configuration properties to LDAP s…
CVE-2024-31865Medium6.52024-04-09Improper Input Validation vulnerability in Apache Zeppelin. The attackers can call updating cron API with invalid or improper privileges so that the notebook…
CVE-2024-31860Medium6.52024-04-09Improper Input Validation vulnerability in Apache Zeppelin. By adding relative path indicators(E.g ..), attackers can see the contents for any files in the fi…
CVE-2021-28655Medium6.52022-12-16The improper Input Validation vulnerability in "”Move folder to Trash” feature of Apache Zeppelin allows an attacker to delete the arbitrary files. This issue…
CVE-2024-41177Medium6.12025-08-03Incomplete Blacklist to Cross-Site Scripting vulnerability in Apache Zeppelin. This issue affects Apache Zeppelin: before 0.12.0. Users are recommended to up…
CVE-2024-31868Medium6.12024-04-09Improper Encoding or Escaping of Output vulnerability in Apache Zeppelin. The attackers can modify helium.json and exposure XSS attacks to normal users. This…
CVE-2021-27578Medium6.12021-09-02Cross Site Scripting vulnerability in markdown interpreter of Apache Zeppelin allows an attacker to inject malicious scripts. This issue affects Apache Zeppeli…
CVE-2018-1328Medium6.12019-04-23Apache Zeppelin prior to 0.8.0 had a stored XSS issue via Note permissions. Issue reported by "Josna Joseph".
CVE-2021-28656Medium5.42024-04-09Cross-Site Request Forgery (CSRF) vulnerability in Credential page of Apache Zeppelin allows an attacker to submit malicious request. This issue affects Apach…
CVE-2022-46870Medium5.42022-12-16An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache Zeppelin allows logged-in users to execute arbi…
CVE-2024-51775Medium5.32025-08-03Missing Origin Validation in WebSockets vulnerability in Apache Zeppelin. The attacker could access the Zeppelin server from another origin without any restri…
CVE-2024-52279Medium5.32025-08-03Improper Input Validation vulnerability in Apache Zeppelin. The fix for JDBC URL validation in CVE-2024-31864 did not account for URL encoded input. This issu…
CVE-2024-31863Medium5.32024-04-09Authentication Bypass by Spoofing vulnerability by replacing to exsiting notes in Apache Zeppelin.This issue affects Apache Zeppelin: from 0.10.1 before 0.11.0…