Affects Version/s: 0.8.1
Fix Version/s: 0.8.2
Apache Zeppelin 0.8.1 on Mac OS and Linux (probably other platforms as well).
If a user follows the quickstart instructions for Zeppelin (https://zeppelin.apache.org/docs/latest/quickstart/install.html), they will end up with a network service listening on their machine which is:
1 - Accessible remotely, because the service listens on all interfaces by default (tested on MacOS and Linux).
2 - Accessible anonymously. Other documents mention the optional Shiro configuration, but this is not referenced in the quickstart, and not part of the default configuration.
3 - Capable of arbitrary code execution on the host where it is running.
This seems exceedingly dangerous.
I would strongly recommend:
a - Bind only to the loopback interface by default.
b - Require authentication by default. At a minimum, the Shiro documentation should be mentioned in the quickstart guide.