=====================================================================

                             CERT-Renater

                 Note d'Information No. 2021/VULN433
_____________________________________________________________________

DATE                : 07/09/2021

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Apache Zeppelin versions prior to
                                          0.9.0.

=====================================================================
http://mail-archives.apache.org/mod_mbox/www-announce/202109.mbox/%3c4c781bd3-8184-14d3-8020-d7f7ad0af3c7@apache.org%3e
http://mail-archives.apache.org/mod_mbox/www-announce/202109.mbox/%3cc4f600f9-53f7-4fd6-0a42-8ce1b7a028a9@apache.org%3e
http://mail-archives.apache.org/mod_mbox/www-announce/202109.mbox/%3cd0e93495-8fba-959c-e908-d02e8b0bf524@apache.org%3e
_____________________________________________________________________

CVE-2019-10095: Apache Zeppelin: bash command injection in spark interpreter

Description:

bash command injection vulnerability in Apache Zeppelin allows an
attacker to inject system commands into Spark
interpreter settings.  This issue affects Apache Zeppelin Apache
Zeppelin version 0.9.0 and prior versions.

Credit:

Apache Zeppelin would like to thank HERE Security team for reporting
this issue

_____________________________________________________________________

CVE-2020-13929: Apache Zeppelin: Notebook permissions bypass

Severity: critical

Description:

Authentication bypass vulnerability in Apache Zeppelin allows an
attacker to bypass Zeppelin authentication mechanism
to act as another user.  This issue affects Apache Zeppelin Apache
Zeppelin version 0.9.0 and prior versions.

Credit:

Apache Zeppelin would like to thank David Woodhouse for reporting this
issue

_____________________________________________________________________

CVE-2021-27578: Apache Zeppelin: Cross Site Scripting in markdown
interpreter

Description:

Cross Site Scripting vulnerability in markdown interpreter of Apache
Zeppelin allows an attacker to inject malicious
scripts.  This issue affects Apache Zeppelin Apache Zeppelin versions
prior to 0.9.0.

Credit:

Apache Zeppelin would like to thank Paulo Pacheco for reporting this
issue


=========================================================
+ CERT-RENATER       |    tel : 01-53-94-20-44          +
+ 23/25 Rue Daviel   |    fax : 01-53-94-20-41          +
+ 75013 Paris        |    email:cert@support.renater.fr +
=========================================================