Uploaded image for project: 'Zeppelin'
  1. Zeppelin
  2. ZEPPELIN-5624

Arbitrary file deletion vulnerability

    XMLWordPrintableJSON

Details

    Description

      I found a vulnerability in the Apache zeppelin (Unauthorized Level Vulnerability) project.

      By accessing

      /api/interpreter/setting/..%2Flogs

      you can delete the logs folder in the directory where the current project is located, if it is changed to

       

      /api/interpreter/setting/..%2F..%2Fzeppelin

       

      , then you can delete the entire zeppelin application directory, including all configuration files, zeppelin main program files, etc.

      Attachments

        Issue Links

          is duplicated by

          Improvement - An improvement or enhancement to an existing feature or task. ZEPPELIN-5679 tidy up inlineRemove in InterpreterSettingManager

          • Major - Major loss of function.
          • Resolved

          Activity

            People

              iiusky Cherry Li
              iiusky Cherry Li
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0h
                  0h
                  Logged:
                  Time Spent - 4h 40m
                  4h 40m