search

github / advisory-database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Creative Commons Attribution 4.0 International
1.68k stars 312 forks source link

[GHSA-86jx-wr74-xr74] Add affected product org.apache.zeppelin:zeppel… #4463

Closed raboof closed 2 months ago

raboof commented 2 months ago

…in-interpreter 0.8.2 < 0.11.1

This information was in the CVE metadata at https://www.cve.org/CVERecord?id=CVE-2024-31866

darakian commented 2 months ago

Many thanks for the PR. I took a look at the sources for zeppelin-interpreter https://repo1.maven.org/maven2/org/apache/zeppelin/zeppelin-interpreter/0.11.1/zeppelin-interpreter-0.11.1-sources.jar

And the shell script that's updated in the PR on this advisory does not seem to be present. How would you feel about changing the artifact on this to org.apache.zeppelin:zeppelin? The mailing list seems to be talking about the zeppelin project as a whole rather than a single component. https://lists.apache.org/thread/jpkbq3oktopt34x2n5wnhzc2r1410ddd

raboof commented 2 months ago

I took a look at the sources for zeppelin-interpreter https://repo1.maven.org/maven2/org/apache/zeppelin/zeppelin-interpreter/0.11.1/zeppelin-interpreter-0.11.1-sources.jar

And the shell script that's updated in the PR on this advisory does not seem to be present.

Thanks for digging in! While indeed zeppelin-interpreter does not contain interpreter.sh, it does reference it (https://github.com/apache/zeppelin/blob/v0.11.1/zeppelin-interpreter/src/main/java/org/apache/zeppelin/conf/ZeppelinConfiguration.java#L1018).

This of course begs the question if there's other code paths that reference interpreter.sh. While there are, I suspect they were not marked as affected because they're already sufficiently isolated.

How would you feel about changing the artifact on this to org.apache.zeppelin:zeppelin?

While I would be fine with marking 'zeppelin as a whole' affected by this advisory, since this section has "ecosystem": "Maven", I'm not sure if org.apache.zeppelin:zeppelin makes sense: there is only pom metadata at these coordinates (https://repo1.maven.org/maven2/org/apache/zeppelin/zeppelin/0.11.1/), no actual artifact. I would be concerned scanners that map Maven ecosystem groupId:artifactId coordinates to jar files would produce a false negative because it didn't find a jar with coordinates org.apache.zeppelin:zeppelin (but would pick up zeppelin-interpreter as that does correspond to a jar artifact).

I don't see an ecosystem in https://ossf.github.io/osv-schema/#affectedpackage-field that could represent 'zeppelin as a whole', unfortunately.

darakian commented 2 months ago

Thanks for digging in! While indeed zeppelin-interpreter does not contain interpreter.sh, it does reference it (https://github.com/apache/zeppelin/blob/v0.11.1/zeppelin-interpreter/src/main/java/org/apache/zeppelin/conf/ZeppelinConfiguration.java#L1018).

Oh I see. Interesting. That resolves my concern about indexing this on org.apache.zeppelin:zeppelin-interpreter and just to flesh out my thinking on org.apache.zeppelin:zeppelin. I was thinking that if alerts were generated on a root artifact (even if it's just a pom) then scanning engines would get this advisory to the correct users even though it would cause some noise for users who might not use the interpreter artifact. That said, thank you for digging further and lets get this live 👍

advisory-database[bot] commented 2 months ago

Hi @raboof! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future!