You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@zeppelin.apache.org by "Cherry Li (Jira)" <ji...@apache.org> on 2022/01/04 10:36:00 UTC
[jira] [Created] (ZEPPELIN-5624) Arbitrary file deletion vulnerability
Cherry Li created ZEPPELIN-5624:
-----------------------------------
Summary: Arbitrary file deletion vulnerability
Key: ZEPPELIN-5624
URL: https://issues.apache.org/jira/browse/ZEPPELIN-5624
Project: Zeppelin
Issue Type: Bug
Components: security
Affects Versions: 0.10.0, 0.9.0
Reporter: Cherry Li
Attachments: [Hotfix]_Determine_the_legality_of_the_incoming_file_path.patch
I found a vulnerability in the Apache zeppelin (Unauthorized Level Vulnerability) project.
By accessing
{code:java}
/api/interpreter/setting/..%2Flogs {code}
you can delete the logs folder in the directory where the current project is located, if it is changed to
{code:java}
/api/interpreter/setting/..%2F..%2Fzeppelin {code}
, then you can delete the entire zeppelin application directory, including all configuration files, zeppelin main program files, etc.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)