7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-41169

GHSA ID

GHSA-7pgf-ppxw-8624

EPSS Score

0.06414%

CWE

CWE-664

Published

7/12/2025

Updated

7/14/2025

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-41169

CVE-2024-41169: Apache Zeppelin exposes server resources to unauthenticated attackers

The attacker can use the raft server protocol in an unauthenticated way. The attacker can see the server's resources, including directories and files.

This issue affects Apache Zeppelin: from 0.10.1 up to 0.12.0.

Users are recommended to upgrade to version 0.12.0, which fixes the issue by removing the Cluster Interpreter.

(GitHub Advisory)

7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-41169

GHSA ID

GHSA-7pgf-ppxw-8624

EPSS Score

0.06414%

CWE

CWE-664

Published

7/12/2025

Updated

7/14/2025

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.apache.zeppelin:zeppelin-interpreter	maven	>= 0.10.1, < 0.12.0	0.12.0
org.apache.zeppelin:zeppelin-server	maven	>= 0.10.1, < 0.12.0	0.12.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability lies in the unauthenticated nature of the raft-based cluster feature in Apache Zeppelin. An attacker could exploit this to view sensitive server resources. The analysis of the patch, which completely removes the cluster implementation, confirms that the entire feature was considered a security risk. The primary entry point for an attacker would be the unauthenticated REST API endpoints provided by ClusterRestApi. These endpoints, specifically getClusterNodes and getClusterNode, would allow an attacker to easily retrieve information about the servers in the cluster. These REST endpoints in turn call ClusterManagerServer.getClusterMeta to fetch the data from the raft cluster. The root cause is the lack of authentication in the raft server protocol itself, which was handled by classes like ClusterManagerServer and ClusterStateMachine. The most direct and observable vulnerable functions in a runtime profile would be the methods in ClusterRestApi, as they are the highest-level functions accessible to an external attacker.

Vulnerable functions

org.apache.zeppelin.rest.ClusterRestApi.getClusterNodes

zeppelin-server/src/main/java/org/apache/zeppelin/rest/ClusterRestApi.java

This function was a REST API endpoint that exposed detailed information about all nodes in the Zeppelin cluster, including resource usage (CPU, memory). It was accessible without authentication, allowing an attacker to gain insight into the server's resources. The underlying raft-based cluster implementation was unauthenticated, which is the root cause of the vulnerability. The fix was to remove the entire cluster feature, including this API.

org.apache.zeppelin.rest.ClusterRestApi.getClusterNode

zeppelin-server/src/main/java/org/apache/zeppelin/rest/ClusterRestApi.java

Similar to `getClusterNodes`, this function was a REST API endpoint that provided detailed information about a specific node in the cluster. It was unauthenticated and allowed an attacker to query for specific server resources. The fix was to remove the entire cluster feature.

org.apache.zeppelin.cluster.ClusterManagerServer.getClusterMeta

zeppelin-interpreter/src/main/java/org/apache/zeppelin/cluster/ClusterManagerServer.java

This function was responsible for retrieving metadata from the raft cluster. It was called by the vulnerable REST API endpoints (`getClusterNodes`, `getClusterNode`) to fetch the server resource information. The function itself interacted with the unauthenticated raft client, making it a key part of the vulnerability chain.

org.apache.zeppelin.cluster.ClusterStateMachine.get

zeppelin-interpreter/src/main/java/org/apache/zeppelin/cluster/ClusterStateMachine.java

This function was part of the raft state machine and was responsible for retrieving the stored metadata. It was ultimately called by `getClusterMeta` to get the server resource information. An attacker could potentially interact with the state machine directly through the unauthenticated raft protocol.

WAF Protection Rules

WAF Rule

T** *tt**k*r **n us* t** r**t s*rv*r proto*ol in *n un*ut**nti**t** w*y. T** *tt**k*r **n s** t** s*rv*r's r*sour**s, in*lu*in* *ir**tori*s *n* *il*s. T*is issu* *****ts *p**** Z*pp*lin: *rom *.**.* up to *.**.*. Us*rs *r* r**omm*n*** to up*r*** to

Reasoning

T** vuln*r**ility li*s in t** un*ut**nti**t** n*tur* o* t** r**t-**s** *lust*r ***tur* in *p**** Z*pp*lin. *n *tt**k*r *oul* *xploit t*is to vi*w s*nsitiv* s*rv*r r*sour**s. T** *n*lysis o* t** p*t**, w*i** *ompl*t*ly r*mov*s t** *lust*r impl*m*nt*ti

7.5

Basic Information

Concerned about an active attack path?

CVE-2024-41169: Apache Zeppelin exposes server resources to unauthenticated attackers

7.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI