Command Injection Affecting org.apache.hugegraph:hugegraph-core package, versions [,1.3.0)
Snyk CVSS
Attack Complexity
Low
Confidentiality
High
Integrity
High
Availability
High
Threat Intelligence
EPSS
0.05% (15th
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JAVA-ORGAPACHEHUGEGRAPH-6672129
- published 23 Apr 2024
- disclosed 22 Apr 2024
- credit 6right
Introduced: 22 Apr 2024
New CVE-2024-27348 Open this link in a new tabHow to fix?
Upgrade org.apache.hugegraph:hugegraph-core
to version 1.3.0 or higher.
Overview
Affected versions of this package are vulnerable to Command Injection due to improper handling of user input in the gremlin interface. An attacker can execute arbitrary commands on the server by crafting malicious input.
Notes:
Additional to upgrading to the fix version, users are recommended to enable the Auth system to fix the issue;
Enabling the "Whitelist-IP/port" function improves the security of RESTful-API execution.