search

github / advisory-database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Creative Commons Attribution 4.0 International
1.68k stars 312 forks source link

[GHSA-8pfj-w89w-m24x] Add affected product org.apache.zeppelin:zeppel… #4464

Closed raboof closed 1 month ago

raboof commented 2 months ago

…in-shell 0.10.1 < 0.11.1

This information was in the CVE metadata at https://www.cve.org/CVERecord?id=CVE-2024-31861

darakian commented 2 months ago

Similar to the other PR I'm not sure I follow on package choice. Looking at the linked PR it seems like something in their build system is being changed. https://github.com/apache/zeppelin/pull/4708/files Could you explain how that change implicated the org.apache.zeppelin:zeppelin-shell artifact?

raboof commented 2 months ago

Similar to the other PR I'm not sure I follow on package choice. Looking at the linked PR it seems like something in their build system is being changed. https://github.com/apache/zeppelin/pull/4708/files Could you explain how that change implicated the org.apache.zeppelin:zeppelin-shell artifact?

Indeed the zeppelin-shell component itself was not changed, but it was disabled by default. Like with https://github.com/github/advisory-database/pull/4463, marking 'zeppelin as a whole' as affected would perhaps have been preferable, but failing a way to refer to that, 'any installation containing zeppelin-shell' seems like a reasonable proxy.

darakian commented 2 months ago

What does it mean that the shell component was disabled by default though? Forgive my ignorance with the project but would my thinking is that if I add org.apache.zeppelin:zeppelin-shell to my pom I still need to import and to use the code from the artifact in my particular project. That is to say opt-in behavior. Am I missing something there?

raboof commented 1 month ago

What does it mean that the shell component was disabled by default though? Forgive my ignorance with the project but would my thinking is that if I add org.apache.zeppelin:zeppelin-shell to my pom I still need to import and to use the code from the artifact in my particular project. That is to say opt-in behavior. Am I missing something there?

zeppelin-shell is an 'Interpreter' component for Zeppelin: you would typically not use it in your own project/pom, only with Zeppelin. Zeppelin detects available interpreters by scanning the 'interpreter' directory of the installation. 'disabled by default' here means zeppelin-shell no longer placed in the 'interpreter' directory during the default installation, so operators that want to use it (and have considered the risk of doing so) need to place it there explicitly.

darakian commented 1 month ago

Gotcha. Thanks for the clarification 👍

advisory-database[bot] commented 1 month ago

Hi @raboof! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future!