Apache Zeppelin: Denial of service with invalid notebook name
Description
Improper input validation in Apache Zeppelin's note creation allows denial of service via crafted note names.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Improper input validation in Apache Zeppelin's note creation allows denial of service via crafted note names.
Vulnerability
CVE-2024-31862 is an improper input validation vulnerability in Apache Zeppelin when creating a new note from the UI. The flaw exists in versions 0.10.1 before 0.11.0 and allows an attacker to supply a specially crafted note name that bypasses validation, leading to a denial of service [1][2][3]. The fix, introduced in pull request #4632 and commit f025a69, adds checks for note paths ending with '/' and URL-encoded path traversal sequences [4].
Exploitation
An attacker with the ability to create notes in the Zeppelin UI can exploit this vulnerability by providing a malicious note name. The lack of proper input validation means that names containing characters like URL-encoded path separators or trailing slashes are not rejected, potentially causing the application to enter an unstable state or crash [3][4]. No authentication bypass or network position beyond standard UI access is required.
Impact
The primary impact is denial of service, as the invalid note name can disrupt normal operation of the Zeppelin server [3]. The vulnerability does not lead to data exfiltration or privilege escalation based on available information.
Mitigation
Users are strongly recommended to upgrade to Apache Zeppelin version 0.11.0, which includes the input validation fix [1][2][3]. No workarounds are documented; upgrading is the only advised course of action.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.zeppelin:zeppelin-serverMaven | >= 0.10.1, < 0.11.0 | 0.11.0 |
Affected products
2Patches
1f025a697c1d1[HOTFIX] Validate note name (#4632)
2 files changed · +20 −0
zeppelin-server/src/main/java/org/apache/zeppelin/service/NotebookService.java+8 −0 modified@@ -24,6 +24,8 @@ import static org.apache.zeppelin.scheduler.Job.Status.ABORT; import java.io.IOException; +import java.net.URLDecoder; +import java.nio.charset.StandardCharsets; import java.text.ParseException; import java.text.SimpleDateFormat; import java.time.Instant; @@ -236,6 +238,12 @@ String normalizeNotePath(String notePath) throws IOException { } notePath = notePath.replace("\r", " ").replace("\n", " "); + + notePath = URLDecoder.decode(notePath, StandardCharsets.UTF_8.toString()); + if (notePath.endsWith("/")) { + throw new IOException("Note name shouldn't end with '/'"); + } + int pos = notePath.lastIndexOf("/"); if ((notePath.length() - pos) > 255) { throw new IOException("Note name must be less than 255");
zeppelin-server/src/test/java/org/apache/zeppelin/service/NotebookServiceTest.java+12 −0 modified@@ -528,5 +528,17 @@ void testNormalizeNotePath() throws IOException { } catch (IOException e) { assertEquals("Note name can not contain '..'", e.getMessage()); } + try { + notebookService.normalizeNotePath("%2e%2e/%2e%2e/tmp/test222"); + fail("Should fail"); + } catch (IOException e) { + assertEquals("Note name can not contain '..'", e.getMessage()); + } + try { + notebookService.normalizeNotePath("./"); + fail("Should fail"); + } catch (IOException e) { + assertEquals("Note name shouldn't end with '/'", e.getMessage()); + } } }
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/apache/zeppelin/pull/4632ghsapatchWEB
- github.com/advisories/GHSA-6623-c6mr-6737ghsaADVISORY
- lists.apache.org/thread/73xdjx43yg4yz8bd4p3o8vzyybkysmn0ghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2024-31862ghsaADVISORY
- www.openwall.com/lists/oss-security/2024/04/09/5ghsaWEB
- github.com/apache/zeppelin/commit/f025a697c1d1d0264064d5adf6cb0b20d85041b6ghsaWEB
News mentions
0No linked articles in our index yet.