CVE-2024-27348
Apache HugeGraph-Server: Command execution in gremlin
In short
Apache HugeGraph-Server allows attackers to execute arbitrary commands on the server through the Gremlin query interface without authentication. This is a critical flaw that can lead to complete system compromise.
Technical detail
Remote Code Execution vulnerability in Apache HugeGraph-Server versions 1.0.0 through 1.2.x exploitable via unauthenticated Gremlin query submission. The vulnerability stems from insufficient input validation in the Gremlin execution handler (CWE-284: Improper Access Control), allowing authenticated or network-adjacent attackers to execute arbitrary OS commands with server privileges.
Summary generated and translated by AI from the official description.
RCE-Remote Command Execution vulnerability in Apache HugeGraph-Server.This issue affects Apache HugeGraph-Server: from 1.0.0 before 1.3.0 in Java8 & Java11
Users are recommended to upgrade to version 1.3.0 with Java11 & enable the Auth system, which fixes the issue.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products
Apache Software Foundation · Apache HugeGraph-Serverpublic PoCs found — 7
githubgithub.com/Zeyad-Azima/CVE-2024-27348★ 61githubgithub.com/kljunowsky/CVE-2024-27348★ 18githubgithub.com/jakabakos/CVE-2024-27348-Apache-HugeGraph-RCE★ 4githubgithub.com/akelaqe/CVE-2024-27348-HugeGraph-RCE★ 1githubgithub.com/wqfh/CVE-2024-27348★ 1githubgithub.com/p0et08/CVE-2024-27348★ 0exploitdbwww.exploit-db.com/exploits/52149unverified⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
https://hugegraph.apache.org/docs/config/config-authentication/#configure-user-authenticationhttps://lists.apache.org/thread/nx6g6htyhpgtzsocybm242781o8w5kq9https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-27348https://www.vicarius.io/vsociety/posts/remote-code-execution-vulnerability-in-apache-hugegraph-server-cve-2024-27348http://www.openwall.com/lists/oss-security/2024/04/22/3