Apache Zeppelin: Arbitrary file read by adding malicious JDBC connection string

Vulnerability

Overview

The improper input validation vulnerability in Apache Zeppelin's JDBC interpreter allows an attacker to bypass URL validation by encoding parts of the JDBC URL. The previous fix for CVE-2024-31864 did not account for URL-encoded input, leaving a bypass open [1][3]. This issue affects all Zeppelin versions from 0.11.1 up to but not including 0.12.0 [2].

Exploitation

Details

An attacker with the ability to add a JDBC connection string (for example, through notebook creation or interpreter configuration) can craft a malicious JDBC URL that uses percent-encoding (e.g., %2F for '/') to circumvent validation checks. The fix introduced in pull request #4838 adds validation on the decoded URL, ensuring that both raw and encoded forms of disallowed patterns are blocked [4]. No authentication is necessarily required if a user can submit notebooks or interpreter settings; in shared environments, any user with notebook creation privileges could exploit this.

Impact

Successful exploitation can lead to arbitrary file reads from the server's filesystem. By leveraging JDBC drivers (such as those for MySQL or Postgres) that support file storage in connection strings, an attacker may read sensitive files (e.g., configuration files, private keys, or data) accessible to the Zeppelin process [3]. The severity is rated moderate (CVSS v4.0 not yet assigned per NVD).

Mitigation

Users should upgrade to Apache Zeppelin version 0.12.0, which includes the fix that validates the decoded (UTF-8) JDBC URL [1][4]. No workaround is documented other than upgrading, as the validation bypass inherently undermines previous mitigations.