CVE-2024-41169

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-41169
The attacker can use the raft server protocol in an unauthenticated way. The attacker can see the server's resources, including directories and files. This issue affects Apache Zeppelin: from 0.10.1 up to 0.12.0. Users are recommended to upgrade to version 0.12.0, which fixes the issue by removing the Cluster Interpreter.

7.5 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://github.com/apache/zeppelin/pull/4841 Patch Vendor Advisory
https://issues.apache.org/jira/browse/ZEPPELIN-6101 Patch Issue Tracking
https://lists.apache.org/thread/moyym04993c8owh4h0qj98r43tbo8qdd Mailing List Vendor Advisory Issue Tracking Patch
Configurations

Configuration 1 (hide)

cpe:2.3:a:apache:zeppelin:*:*:*:*:*:*:*:*
History

29 Jul 2025, 15:07

Type Values Removed Values Added
References () https://github.com/apache/zeppelin/pull/4841 - () https://github.com/apache/zeppelin/pull/4841 - Patch, Vendor Advisory
References () https://issues.apache.org/jira/browse/ZEPPELIN-6101 - () https://issues.apache.org/jira/browse/ZEPPELIN-6101 - Patch, Issue Tracking
References () https://lists.apache.org/thread/moyym04993c8owh4h0qj98r43tbo8qdd - () https://lists.apache.org/thread/moyym04993c8owh4h0qj98r43tbo8qdd - Mailing List, Vendor Advisory, Issue Tracking, Patch
CPE cpe:2.3:a:apache:zeppelin:*:*:*:*:*:*:*:*
First Time Apache zeppelin
Apache

14 Jul 2025, 16:15

Type Values Removed Values Added
Summary
  • (es) El atacante puede usar el protocolo del servidor Raft sin autenticarse. Puede acceder a los recursos del servidor, incluyendo directorios y archivos. Este problema afecta a Apache Zeppelin desde la versión 0.10.1 hasta la 0.12.0. Se recomienda actualizar a la versión 0.12.0, que soluciona el problema eliminando el intérprete de clúster.
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 7.5

12 Jul 2025, 17:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-07-12 17:15

Updated : 2025-07-29 15:07

NVD link : CVE-2024-41169

Mitre link : CVE-2024-41169

CVE.ORG link : CVE-2024-41169

JSON object : View

Products Affected

apache

  • zeppelin
CWE
CWE-664

Improper Control of a Resource Through its Lifetime