CVE-2024-36263

Apache Submarine Server Core: SQL injection

Severity Score

8.1

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track*

*SSVC

Descriptions

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache Submarine Server Core.

This issue affects Apache Submarine Server Core: all versions.

As this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users.

NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

Neutralización inadecuada de elementos especiales utilizados en una vulnerabilidad de comando SQL ("inyección SQL") en Apache Submarine Server Core. Este problema afecta a Apache Submarine Server Core: todas las versiones. Como este proyecto está retirado, no planeamos lanzar una versión que solucione este problema. Se recomienda a los usuarios que busquen una alternativa o restrinjan el acceso a la instancia a usuarios confiables. NOTA: Esta vulnerabilidad solo afecta a productos que ya no son compatibles con el fabricante.

*Credits: BaoChengZhang of LengJingQiCaiSecurityLab, L0ne1y

CVSS Scores

CISAv3.1 8.1

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:Track*

Exploitation

None

Automatable

Tech. Impact

Total

* Organization's Worst-case Scenario

Timeline

2024-05-22 CVE Reserved
2024-06-12 CVE Published
2024-06-13 EPSS Updated
2024-08-21 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CAPEC

References (3)

URL	Tag	Source
http://www.openwall.com/lists/oss-security/2024/06/12/1

URL	Date	SRC

URL	Date	SRC
https://github.com/apache/submarine/pull/1121	2024-06-13

URL	Date	SRC
https://lists.apache.org/thread/8q9kbdg9gk9kpz5p8x6t7q8709l3vrmt	2024-06-13

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Apache Software Foundation Search vendor "Apache Software Foundation"		Apache Submarine Server Core Search vendor "Apache Software Foundation" for product "Apache Submarine Server Core"				0 Search vendor "Apache Software Foundation" for product "Apache Submarine Server Core" and version "0"		en		Affected

* End Of Life in some or all products. Do not expect updates.