<p>Upgrade <code>org.apache.hugegraph:hubble-be</code> to version 1.3.0 or higher.</p>

Server-Side Request Forgery (SSRF) Affecting org.apache.hugegraph:hubble-be package, versions [,1.3.0)

Snyk CVSS

Attack Complexity Low

Scope Changed

Threat Intelligence

EPSS 0.04% (9^th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk ID SNYK-JAVA-ORGAPACHEHUGEGRAPH-6672140
published 23 Apr 2024
disclosed 22 Apr 2024
credit 6right

Report a new vulnerability Found a mistake?

Introduced: 22 Apr 2024

New CVE-2024-27347 Open this link in a new tab CWE-918 Open this link in a new tab

How to fix?

Upgrade org.apache.hugegraph:hubble-be to version 1.3.0 or higher.

Overview

Affected versions of this package are vulnerable to Server-Side Request Forgery (SSRF) due to improper validation of user-supplied URLs in the Hubble connection page. An attacker can send crafted requests that cause the server to make arbitrary requests to internal or external resources, potentially leading to sensitive information disclosure or unauthorized actions.