Apache Zeppelin: Replacing other users notebook, bypassing any permissions
Description
Apache Zeppelin 0.10.1 before 0.11.0 allows authentication bypass by spoofing via replacing existing notes, enabling unauthorized access to other users' notebooks.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache Zeppelin 0.10.1 before 0.11.0 allows authentication bypass by spoofing via replacing existing notes, enabling unauthorized access to other users' notebooks.
Vulnerability
Description
CVE-2024-31863 is an authentication bypass by spoofing vulnerability in Apache Zeppelin, affecting versions 0.10.1 through 0.10.9 (before 0.11.0). The root cause is insufficient validation of note paths, allowing an attacker to replace existing notes belonging to other users. The fix introduced in commit f025a697c1d1d0264064d5adf6cb0b20d85041b6 adds URL decoding and checks for path traversal sequences (e.g., ..) and trailing slashes, which were previously not enforced [1][3].
Exploitation
An attacker can exploit this by crafting a note name containing URL-encoded path traversal characters, such as %2e%2e/ (decoded to ../), to navigate to another user's notebook directory and overwrite their notes. No authentication is required beyond the ability to create or modify notes; the vulnerability effectively bypasses permission checks by spoofing the note identity [2]. The attack surface is the notebook creation/renaming functionality, which did not properly sanitize user-supplied paths.
Impact
Successful exploitation allows an attacker to read, modify, or delete any notebook in the Zeppelin instance, regardless of ownership. This can lead to data leakage, manipulation of analytical results, or injection of malicious code into notebooks that may be executed by other users. The vulnerability is rated as moderate severity, but the potential for data compromise is significant in multi-tenant deployments [2].
Mitigation
Users should upgrade to Apache Zeppelin 0.11.0, which includes the fix that validates note paths by decoding URL-encoded characters and rejecting paths containing .. or ending with /. No workarounds are documented; upgrading is the recommended action [1][2][3].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.zeppelin:zeppelin-serverMaven | >= 0.10.1, < 0.11.0 | 0.11.0 |
Affected products
2Patches
1f025a697c1d1[HOTFIX] Validate note name (#4632)
2 files changed · +20 −0
zeppelin-server/src/main/java/org/apache/zeppelin/service/NotebookService.java+8 −0 modified@@ -24,6 +24,8 @@ import static org.apache.zeppelin.scheduler.Job.Status.ABORT; import java.io.IOException; +import java.net.URLDecoder; +import java.nio.charset.StandardCharsets; import java.text.ParseException; import java.text.SimpleDateFormat; import java.time.Instant; @@ -236,6 +238,12 @@ String normalizeNotePath(String notePath) throws IOException { } notePath = notePath.replace("\r", " ").replace("\n", " "); + + notePath = URLDecoder.decode(notePath, StandardCharsets.UTF_8.toString()); + if (notePath.endsWith("/")) { + throw new IOException("Note name shouldn't end with '/'"); + } + int pos = notePath.lastIndexOf("/"); if ((notePath.length() - pos) > 255) { throw new IOException("Note name must be less than 255");
zeppelin-server/src/test/java/org/apache/zeppelin/service/NotebookServiceTest.java+12 −0 modified@@ -528,5 +528,17 @@ void testNormalizeNotePath() throws IOException { } catch (IOException e) { assertEquals("Note name can not contain '..'", e.getMessage()); } + try { + notebookService.normalizeNotePath("%2e%2e/%2e%2e/tmp/test222"); + fail("Should fail"); + } catch (IOException e) { + assertEquals("Note name can not contain '..'", e.getMessage()); + } + try { + notebookService.normalizeNotePath("./"); + fail("Should fail"); + } catch (IOException e) { + assertEquals("Note name shouldn't end with '/'", e.getMessage()); + } } }
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-m65c-wmw9-vmppghsaADVISORY
- lists.apache.org/thread/3od2gfpwllmtc9c5ggw04ohn8s7w3ct9ghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2024-31863ghsaADVISORY
- www.openwall.com/lists/oss-security/2024/04/09/6ghsaWEB
- github.com/apache/zeppelin/commit/f025a697c1d1d0264064d5adf6cb0b20d85041b6ghsaWEB
News mentions
0No linked articles in our index yet.