bash command injection vulnerability in Apache Zeppelin allows an attacker to inject system commands into Spark interpreter settings. This issue affects Apache Zeppelin Apache Zeppelin version 0.9.0 and prior versions.

Affected Packages

Maven org.apache.zeppelin:zeppelin

Affected versions: 0 (fixed in 0.10.0)

Related CVEs

CVE-2019-10095

Key Information

GHSA ID

GHSA-4qw8-pgpr-p9mq

Published

September 7, 2021 10:56 PM

Last Modified

November 27, 2023 9:44 PM

CVSS Score

9.0 /10

Primary Ecosystem

Maven

Primary Package

org.apache.zeppelin:zeppelin

GitHub Reviewed

✓ Yes

Dataset

Last updated: November 26, 2025 6:30 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.