Apache Zeppelin: Path traversal vulnerability
Description
Path traversal in Apache Zeppelin allows reading arbitrary files via relative path indicators in note names.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Path traversal in Apache Zeppelin allows reading arbitrary files via relative path indicators in note names.
Root
Cause CVE-2024-31860 is an improper input validation vulnerability in Apache Zeppelin's note name handling. The software fails to sanitize note paths, allowing an attacker to inject relative path sequences such as .. or URL-encoded variants like %2e%2e [1][4]. This lack of validation enables traversal outside the intended notebook directory.
Exploitation
An attacker can exploit this by crafting a malicious note name containing relative path indicators. For example, a note path like ../../etc/passwd would be accepted by the server without validation [2][3]. No authentication is required if the Zeppelin server exposes note creation or renaming endpoints to unauthenticated users; however, the attacker must have network access to the Zeppelin web interface.
Impact
Successful exploitation allows an attacker to read the contents of any file on the filesystem that the Zeppelin server process can access. This could lead to disclosure of sensitive configuration files, credentials, or application code [2][3]. The CVSS score has not been fully assessed, but the vendor rates severity as low, likely due to the requirement that the server account already has limited privileges.
Mitigation
The vulnerability affects Apache Zeppelin versions 0.9.0 through 0.10.x. It is fixed in version 0.11.0, which includes validation that rejects note names containing .. or ending with / [1][4]. Users are strongly recommended to upgrade to 0.11.0 or later [2][3]. No known workarounds are available if upgrade is not possible.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.zeppelin:zeppelin-serverMaven | >= 0.9.0, < 0.11.0 | 0.11.0 |
Affected products
2Patches
1f025a697c1d1[HOTFIX] Validate note name (#4632)
2 files changed · +20 −0
zeppelin-server/src/main/java/org/apache/zeppelin/service/NotebookService.java+8 −0 modified@@ -24,6 +24,8 @@ import static org.apache.zeppelin.scheduler.Job.Status.ABORT; import java.io.IOException; +import java.net.URLDecoder; +import java.nio.charset.StandardCharsets; import java.text.ParseException; import java.text.SimpleDateFormat; import java.time.Instant; @@ -236,6 +238,12 @@ String normalizeNotePath(String notePath) throws IOException { } notePath = notePath.replace("\r", " ").replace("\n", " "); + + notePath = URLDecoder.decode(notePath, StandardCharsets.UTF_8.toString()); + if (notePath.endsWith("/")) { + throw new IOException("Note name shouldn't end with '/'"); + } + int pos = notePath.lastIndexOf("/"); if ((notePath.length() - pos) > 255) { throw new IOException("Note name must be less than 255");
zeppelin-server/src/test/java/org/apache/zeppelin/service/NotebookServiceTest.java+12 −0 modified@@ -528,5 +528,17 @@ void testNormalizeNotePath() throws IOException { } catch (IOException e) { assertEquals("Note name can not contain '..'", e.getMessage()); } + try { + notebookService.normalizeNotePath("%2e%2e/%2e%2e/tmp/test222"); + fail("Should fail"); + } catch (IOException e) { + assertEquals("Note name can not contain '..'", e.getMessage()); + } + try { + notebookService.normalizeNotePath("./"); + fail("Should fail"); + } catch (IOException e) { + assertEquals("Note name shouldn't end with '/'", e.getMessage()); + } } }
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/apache/zeppelin/pull/4632ghsapatchWEB
- github.com/advisories/GHSA-g64r-xf39-q4p5ghsaADVISORY
- lists.apache.org/thread/c0zfjnow3oc3dzc8w5rbkzj8lqj5jm5xghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2024-31860ghsaADVISORY
- www.openwall.com/lists/oss-security/2024/04/09/2ghsaWEB
- github.com/apache/zeppelin/commit/f025a697c1d1d0264064d5adf6cb0b20d85041b6ghsaWEB
News mentions
0No linked articles in our index yet.