CVE-2024-27348
unknown
KEV
CVSS v3
—
CVSS v2
—
VIR risk
1.5
Description
Apache HugeGraph-Server contains an improper access control vulnerability that could allow a remote attacker to execute arbitrary code.
CISA KEV
- Vendor
- Apache
- Product
- HugeGraph-Server
- Due date
- 2024-10-09
Predictions
Exploit likelihood
99%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: cisa-kev — This vulnerability affects a common open-source component, third-party library, or a protocol used by different products. Please check with specific vendors for information on patching status. For more information, please see: https://lists.apache.org/thread/nx6g6htyhpgtzsocybm242781o8w5kq9 ; https://nvd.nist.gov/vuln/detail/CVE-2024-27348
Exploits
Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| Maven | org.apache.hugegraph:hugegraph-api | >=1.0.0,<1.3.0 | 1.3.0 |
| Maven | org.apache.hugegraph:hugegraph-core | >=1.0.0,<1.3.0 | 1.3.0 |
References
- https://nvd.nist.gov/vuln/detail/CVE-2024-27348
- https://github.com/apache/incubator-hugegraph/commit/713d88d1fd9953c3c3e3f130389501910ba40e1d
- https://github.com/apache/incubator-hugegraph
- https://hugegraph.apache.org/docs/config/config-authentication/#configure-user-authentication
- https://lists.apache.org/thread/nx6g6htyhpgtzsocybm242781o8w5kq9
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-27348
- https://www.vicarius.io/vsociety/posts/remote-code-execution-vulnerability-in-apache-hugegraph-server-cve-2024-27348
- http://www.openwall.com/lists/oss-security/2024/04/22/3
- This vulnerability affects a common open-source component, third-party library, or a protocol used by different products. Please check with specific vendors for information on patching status. For more information, please see: https://lists.apache.org/thread/nx6g6htyhpgtzsocybm242781o8w5kq9 ; https://nvd.nist.gov/vuln/detail/CVE-2024-27348
Verify integrity in audit chain (admin only). AS-IS.