Hello, I went back and re-read the mailing list summary of CVE-2024-31861 before composing this message, and I still don't quite grasp what the reporter/finder of the alleged vulnerability thinks they found. I followed the links to the NVD at NIST, and didn't find any more substantive information from the reporter.
The CVE says that the Shell interpreter can be used as "a code generation gateway", but doesn't say that the Shell interpreter does anything that enables privilege escalation for any generated code. Heck, Visual Studio Code allows a programmer to launch a terminal/shell from within that editor, is that the same thing as "a code generation gateway"? If we took the assertions here at face value, I think it would be extraordinarily difficult to write a shell interpreter that could address the implicit claims made about "Improper Control of Generation of Code" while still providing the necessary functionality. I guess I'm saying it would have been great to get more information from the originating reporter of the alleged vulnerability. In the absence of more information about what proper control of the code generation would constitute, I agree with Michiel that we should update the documentation and republish the shell interpreter. Bill On Thu, Apr 11, 2024 at 2:40 AM Jongyoul Lee <jongy...@gmail.com> wrote: > Hello, > > I want to discuss Shell interpreter issue with you. > > For your information, we had a security report using Shell interpreter to > execute malicious code with a system account. As you know, it's a kind of > characteristic of Apache Zeppelin but some contributors including me > thought it was too risky even if it's a feature. Moreover, I thought that > we had some workarounds to do similar executions. > > However, after releasing it, there were many questions via several > channels about the deprecation of Shell interpreter. > > I would like to follow the community's decision. For one more piece of > information, we already have a security page to warn the code execution > feature so we can keep the Shell interpreter without any further treatment. > > Could you please give me your opinion on this? > > If we conclude keeping it, I'll release a new release of 0.11.2 including > Shell interpreter again. > > Best regards, > Jongyoul Lee >
