Known Issues in Apache Zeppelin

Learn about the known issues in Zeppelin, the impact or changes to the functionality, and the workaround.

TSB 2024-650: Arbitrary file deletion vulnerability in Apache Zeppelin

The improper Input Validation vulnerability in Apache Zeppelin allows an attacker to delete arbitrary files. Using a successful cross-site scripting attack by accessing the logs through API:

/api/interpreter/setting/..%2Flogs

The logs folder can be deleted from the directory where the current project is located. If the API is changed to /api/interpreter/setting/..%2F..%2Fzeppelin the following setting, the entire Zeppelin application directory can be deleted. The Zeppelin application directory contains every configuration file, Zeppelin main program files, and so on, which are crucial for the proper operations of Zeppelin.

Upstream JIRA: ZEPPELIN-5624

For the latest update on this issue see the corresponding Knowledge article: TSB 2024-650: TSB title

CDPD-3090: Due to a configuration typo, functionality involving notebook repositories does not work

Due to a missing closing brace, access to the notebook repositories API is blocked by default.

From the CDP Management Console, go to Cloudera Manager for the cluster running Zeppelin. On the Zeppelin configuration page (Zeppelin service > Configuration), enter shiro urls in the Search field, and then add the missing closing brace to the notebook-repositories URL, as follows:

/api/notebook-repositories/** = authc, roles[{{zeppelin_admin_group}}]

Click Save Changes, and restart the Zeppelin service.

CDPD-2406: Logout button does not work

Clicking the Logout button in the Zeppelin UI logs you out, but then immediately logs you back in using SSO.

Close the browser.