You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@zeppelin.apache.org by "Cherry Li (Jira)" <ji...@apache.org> on 2022/01/04 10:36:00 UTC

[jira] [Created] (ZEPPELIN-5624) Arbitrary file deletion vulnerability

Cherry Li created ZEPPELIN-5624:
-----------------------------------

             Summary: Arbitrary file deletion vulnerability
                 Key: ZEPPELIN-5624
                 URL: https://issues.apache.org/jira/browse/ZEPPELIN-5624
             Project: Zeppelin
          Issue Type: Bug
          Components: security
    Affects Versions: 0.10.0, 0.9.0
            Reporter: Cherry Li
         Attachments: [Hotfix]_Determine_the_legality_of_the_incoming_file_path.patch

I found a vulnerability in the Apache zeppelin (Unauthorized Level Vulnerability) project.

By accessing
{code:java}
/api/interpreter/setting/..%2Flogs {code}
you can delete the logs folder in the directory where the current project is located, if it is changed to

 
{code:java}
/api/interpreter/setting/..%2F..%2Fzeppelin {code}
 

, then you can delete the entire zeppelin application directory, including all configuration files, zeppelin main program files, etc.



--
This message was sent by Atlassian Jira
(v8.20.1#820001)