Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <CA+th4MLqu7Fb+XM_RZxBcFMJJAnhoPqKWMMmWGCCg1j_YA2x8A@mail.gmail.com>
Date: Mon, 22 Apr 2024 15:37:38 +0800
From: Imba Jin <jin@...che.org>
To: oss-security@...ts.openwall.com
Subject: CVE-2024-27348: Apache HugeGraph-Server: Command execution in gremlin

Severity: important

Affected versions:

- Apache HugeGraph-Server 1.0.0 before 1.3.0

Description:

RCE-Remote Command Execution vulnerability in Apache
HugeGraph-Server.This issue affects Apache HugeGraph-Server: from
1.0.0 before 1.3.0 in Java8 & Java11

Users are recommended to upgrade to version 1.3.0 with Java11 & enable
the Auth system, which fixes the issue.

Also you could enable the "Whitelist-IP/port" function to improve the
security of RESTful-API execution

Credit:

6right of moresec (reporter)

References:

https://hugegraph.apache.org/docs/config/config-authentication/#configure-user-authentication
https://hugegraph.apache.org/docs/download/download/
https://www.cve.org/CVERecord?id=CVE-2024-27348

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.