CVE-2019-10095

Description

bash command injection vulnerability in Apache Zeppelin allows an attacker to inject system commands into Spark interpreter settings. This issue affects Apache Zeppelin Apache Zeppelin version 0.9.0 and prior versions.

Related CPE's

a apache zeppelin ********

References

https://lists.apache.org/thread.html/rdf06e8423833b3daadc30c56a2ff47c48920864d5199476daa897208%40%3Cusers.zeppelin.apache.org%3E

Mailing ListVendor Advisory

[zeppelin-users] 20210902 CVE-2019-10095: Apache Zeppelin: bash command injection in spark interpreter

Mailing ListVendor Advisory

[oss-security] 20210902 CVE-2019-10095: Apache Zeppelin: bash command injection in spark interpreter

Mailing ListThird Party Advisory

[announce] 20210902 CVE-2019-10095: Apache Zeppelin: bash command injection in spark interpreter

Mailing ListVendor Advisory

CvssV3 impact

BaseSeverity	CRITICAL
ConfidentialityImpact	HIGH
AttackComplexity	LOW
Scope	UNCHANGED
AttackVector	NETWORK
AvailabilityImpact	HIGH
IntegrityImpact	HIGH
PrivilegesRequired	NONE
BaseScore	9.8
VectorString	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Version	3.1
UserInteraction	NONE

CvssV2 impact

AccessComplexity	LOW
ConfidentialityImpact	COMPLETE
AvailabilityImpact	COMPLETE
IntegrityImpact	COMPLETE
BaseScore	10
VectorString	AV:N/AC:L/Au:N/C:C/I:C/A:C
Version	2.0
AccessVector	NETWORK
Authentication	NONE

Created by Yello

About Severity.io