Command Injection Affecting org.apache.hugegraph:hugegraph-core package, versions [,1.3.0)


Severity

Recommended
0.0
critical
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

Exploit Maturity
Mature
EPSS
96.56% (100th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Command Injection vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-JAVA-ORGAPACHEHUGEGRAPH-6672129
  • published23 Apr 2024
  • disclosed22 Apr 2024
  • credit6right

Introduced: 22 Apr 2024

CVE-2024-27348  (opens in a new tab)
CWE-77  (opens in a new tab)

How to fix?

Upgrade org.apache.hugegraph:hugegraph-core to version 1.3.0 or higher.

Overview

Affected versions of this package are vulnerable to Command Injection due to improper handling of user input in the gremlin interface. An attacker can execute arbitrary commands on the server by crafting malicious input.

Notes:

  1. This vulnerability impacts users with the vulnerable versions used with Java8 and Java11

  2. Additional to upgrading to the fixed version, users are recommended to enable the Auth system to fix the issue.

  3. Enabling the "Whitelist-IP/port" function improves the security of RESTful-API execution.

CVSS Scores

version 3.1