Apache Zeppelin Improper Input Validation Vulnerability in JDBC URL Handling

A vulnerability has been identified in Apache Zeppelin versions 0.11.1 prior to 0.12.0, related to improper input validation of JDBC URLs. The issue arises because the previous fix for JDBC URL validation did not consider URL-encoded input, allowing for potential exploitation. This vulnerability could lead to arbitrary file read by adding a malicious JDBC connection string.

Impact

Exploitation of this vulnerability could result in arbitrary file read by adding a malicious JDBC connection string, according to a report by PJ Fanning.

Reproduction

To reproduce this vulnerability, input a URL with disallowed configurations that is UTF-8 encoded into the JDBC type interpreter. Then, execute the command in a notebook and observe whether the command is blocked. After applying the patch, the validation process will correctly decode the URL and enforce the validation rules, preventing the execution of commands that could exploit the vulnerability.

Remediation

Users are advised to upgrade to Apache Zeppelin version 0.12.0, which addresses this vulnerability.