CVE-2024-27348

Apache HugeGraph-Server Improper Access Control Vulnerability

Severity Score

9.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

Yes

*KEV

Decision

Act

*SSVC

Descriptions

RCE-Remote Command Execution vulnerability in Apache HugeGraph-Server.This issue affects Apache HugeGraph-Server: from 1.0.0 before 1.3.0 in Java8 & Java11

Users are recommended to upgrade to version 1.3.0 with Java11 & enable the Auth system, which fixes the issue.

Vulnerabilidad de ejecución remota de comandos RCE en Apache HugeGraph-Server. Este problema afecta a Apache HugeGraph-Server: desde 1.0.0 antes de 1.3.0 en Java8 y Java11. Se recomienda a los usuarios actualizar a la versión 1.3.0 con Java11 y habilitar el sistema de autenticación lo que soluciona el problema.

Apache HugeGraph versions 1.0.0 and up to 1.3.0 suffer from a remote command execution vulnerability. This is a scanner to test for the issue.

Apache HugeGraph-Server contains an improper access control vulnerability that could allow a remote attacker to execute arbitrary code.

*Credits: 6right of moresec

CVSS Scores

CISAv3.1 9.8

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:Act

Exploitation

Active

Automatable

Yes

Tech. Impact

Total

* Organization's Worst-case Scenario

Timeline

2024-02-24 CVE Reserved
2024-04-22 CVE Published
2024-06-03 First Exploit
2024-09-18 CVE Updated
2024-09-18 Exploited in Wild
2024-09-20 EPSS Updated
2024-10-09 KEV Due Date

CWE

CWE-284: Improper Access Control

CAPEC

References (6)

URL	Tag	Source
http://www.openwall.com/lists/oss-security/2024/04/22/3
https://hugegraph.apache.org/docs/config/config-authentication/#configure-user-authentication	Related

URL	Date	SRC
https://github.com/Zeyad-Azima/CVE-2024-27348	2024-06-08
https://github.com/kljunowsky/CVE-2024-27348	2024-06-03
https://github.com/jakabakos/CVE-2024-27348-Apache-HugeGraph-RCE	2024-06-12

URL	Date	SRC

URL	Date	SRC
https://lists.apache.org/thread/nx6g6htyhpgtzsocybm242781o8w5kq9	2024-05-01

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Apache Software Foundation Search vendor "Apache Software Foundation"		Apache HugeGraph-Server Search vendor "Apache Software Foundation" for product "Apache HugeGraph-Server"				>= 1.0.0 < 1.3.0 Search vendor "Apache Software Foundation" for product "Apache HugeGraph-Server" and version " >= 1.0.0 < 1.3.0"		en		Affected