CVE-2019-10095: bash command injection in spark interpreter
First published: Thu Sep 02 2021(Updated: )
bash command injection vulnerability in Apache Zeppelin allows an attacker to inject system commands into Spark interpreter settings. This issue affects Apache Zeppelin Apache Zeppelin version 0.9.0 and prior versions.
Credit: security@apache.org security@apache.org security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Apache Zeppelin | <=0.9.0 | |
| maven/org.apache.zeppelin:zeppelin | <0.10.0 | 0.10.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://nvd.nist.gov/vuln/detail/CVE-2019-10095
- https://lists.apache.org/thread.html/rdf06e8423833b3daadc30c56a2ff47c48920864d5199476daa897208%40%3Cusers.zeppelin.apache.org%3E
- https://lists.apache.org/thread.html/rdf06e8423833b3daadc30c56a2ff47c48920864d5199476daa897208@%3Cusers.zeppelin.apache.org%3E
- http://www.openwall.com/lists/oss-security/2021/09/02/1
- https://lists.apache.org/thread.html/rdf06e8423833b3daadc30c56a2ff47c48920864d5199476daa897208@%3Cannounce.apache.org%3E
- https://lists.apache.org/thread.html/rd56389ba9cab30a6c976b9a4a6df0f85cbe8fba6a60a3cf6e3ba716b@%3Cusers.zeppelin.apache.org%3E
- https://lists.apache.org/thread.html/rd56389ba9cab30a6c976b9a4a6df0f85cbe8fba6a60a3cf6e3ba716b%40%3Cusers.zeppelin.apache.org%3E
- https://lists.apache.org/thread.html/rdf06e8423833b3daadc30c56a2ff47c48920864d5199476daa897208%40%3Cannounce.apache.org%3E
- https://security.gentoo.org/glsa/202311-04
- https://github.com/advisories/GHSA-4qw8-pgpr-p9mq (Advisory)
Frequently Asked Questions
What is the severity of CVE-2019-10095?
CVE-2019-10095 has a medium severity rating due to its potential for command injection.
How do I fix CVE-2019-10095?
To fix CVE-2019-10095, upgrade to Apache Zeppelin version 0.10.0 or later.
What versions of Apache Zeppelin are affected by CVE-2019-10095?
CVE-2019-10095 affects Apache Zeppelin versions 0.9.0 and earlier.
What type of vulnerability is CVE-2019-10095?
CVE-2019-10095 is a bash command injection vulnerability.
Which components are impacted by CVE-2019-10095?
The Spark interpreter settings in Apache Zeppelin are impacted by CVE-2019-10095.
- collector/nvd-index
- collector/nvd-api
- collector/github-advisory-latest
- alias/GHSA-4qw8-pgpr-p9mq
- alias/CVE-2019-10095
- collector/nvd-cve
- collector/github-advisory
- agent/softwarecombine
- agent/first-publish-date
- agent/type
- agent/references
- agent/weakness
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/last-modified-date
- agent/author
- agent/title
- agent/description
- agent/event
- agent/trending
- agent/tags
- agent/source
- vendor/apache
- canonical/apache zeppelin
- version/apache zeppelin/0.9.0
- package-manager/maven