bash command injection in spark interpreter
Description
Apache Zeppelin versions 0.9.0 and prior allow bash command injection via Spark interpreter settings, enabling remote code execution.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache Zeppelin versions 0.9.0 and prior allow bash command injection via Spark interpreter settings, enabling remote code execution.
Vulnerability
Apache Zeppelin versions 0.9.0 and prior contain a bash command injection vulnerability in the Spark interpreter settings. An attacker can inject arbitrary system commands by manipulating the interpreter configuration. [1][2]
Exploitation
The attacker needs network access to the Zeppelin server and the ability to modify Spark interpreter settings (e.g., via the notebook interface or API). No authentication is explicitly required if the server is exposed, but typically some user interaction may be needed. No public exploit code is disclosed in the available references. [1][2]
Impact
Successful exploitation allows an attacker to execute arbitrary system commands on the Zeppelin server, leading to full remote code execution with the privileges of the Zeppelin process. This can result in data disclosure, modification, or denial of service. [1][2]
Mitigation
Upgrade to Apache Zeppelin version 0.10.1 or later, which contains the fix. [4] No known workarounds are available. Users should also restrict network access to the Zeppelin interface. [4]
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.zeppelin:zeppelinMaven | < 0.10.0 | 0.10.0 |
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
10- github.com/advisories/GHSA-4qw8-pgpr-p9mqghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-10095ghsaADVISORY
- security.gentoo.org/glsa/202311-04ghsavendor-advisoryWEB
- www.openwall.com/lists/oss-security/2021/09/02/1ghsamailing-listWEB
- lists.apache.org/thread.html/rd56389ba9cab30a6c976b9a4a6df0f85cbe8fba6a60a3cf6e3ba716b%40%3Cusers.zeppelin.apache.org%3Eghsamailing-listWEB
- lists.apache.org/thread.html/rd56389ba9cab30a6c976b9a4a6df0f85cbe8fba6a60a3cf6e3ba716b@%3Cusers.zeppelin.apache.org%3EghsaWEB
- lists.apache.org/thread.html/rdf06e8423833b3daadc30c56a2ff47c48920864d5199476daa897208%40%3Cannounce.apache.org%3Eghsamailing-listWEB
- lists.apache.org/thread.html/rdf06e8423833b3daadc30c56a2ff47c48920864d5199476daa897208%40%3Cusers.zeppelin.apache.org%3Eghsamailing-listWEB
- lists.apache.org/thread.html/rdf06e8423833b3daadc30c56a2ff47c48920864d5199476daa897208@%3Cannounce.apache.org%3EghsaWEB
- lists.apache.org/thread.html/rdf06e8423833b3daadc30c56a2ff47c48920864d5199476daa897208@%3Cusers.zeppelin.apache.org%3EghsaWEB
News mentions
0No linked articles in our index yet.