What is CVE-2024-27348?

CVE-2024-27348 is a critical remote code execution (RCE) vulnerability in Apache HugeGraph, a popular open-source graph database used in Java 8 and Java 11 environments. The vulnerability has a CVSS score of 9.8 and is caused by missing reflection filtering in the SecurityManager, allowing attackers to bypass sandbox restrictions and achieve remote code execution.

Which versions of Apache HugeGraph are affected by CVE-2024-27348?

Apache HugeGraph-Server versions 1.0.0 up to, but not including, 1.3.0 are affected by CVE-2024-27348.

What actions can attackers perform if they exploit CVE-2024-27348?

Exploiting CVE-2024-27348 can allow attackers to achieve remote code execution, full server control, data theft, or ransomware deployment.

What mitigation measures are recommended for CVE-2024-27348?

To mitigate CVE-2024-27348, users should upgrade to version 1.3.0 of Apache HugeGraph, use Java 11, and enable the Auth system and the Whitelist-IP/port function to improve RESTful-API execution security.

Advisory

Apache HugeGraph reports critical flaw, POC exploit code published

Q: Who published the proof of concept (PoC) exploit and Python scanner for CVE-2024-27348?

Security researcher Milan Jovic published a PoC exploit that allows unauthenticated users to execute OS commands on vulnerable versions. Security researcher Zeyad Azima published a Python scanner to identify vulnerable HugeGraph implementations.

Q: What should users of Apache HugeGraph do immediately regarding CVE-2024-27348?

Given the severity of CVE-2024-27348 and the availability of PoC exploit code, users should upgrade to the latest version (1.3.0) immediately.

published: June 7, 2024

Take action: If you are using Apache HugeGraph, perform a risk assessment to identify how easy it is to exploit your implementation. That includes testing the PoC exploits. Then plan for a quick patch.

Learn More

A critical remote code execution (RCE) vulnerability, tracked as CVE-2024-27348 is reported in Apache HugeGraph, a popular open-source graph database used in Java 8 and Java 11 environments.

CVE-2024-27348 (CVSS Score 9.8) is caused by missing reflection filtering in the SecurityManager, which can be exploited using specially crafted Gremlin commands. This allows attackers to bypass sandbox restrictions and achieve remote code execution, to full server control, data theft or ransomware deployment.
Affected Versions are Apache HugeGraph-Server 1.0.0 up to, but not including, 1.3.0. The flaw is fixed in version: 1.3.0

To mitigate this vulnerability, users should upgrade to version 1.3.0, use Java 11 and enable the Auth system and enable the Whitelist-IP/port function to improve RESTful-API execution security.

Security researcher Milan Jovic's has published an PoC exploitAllows unauthenticated users to execute OS commands on vulnerable versions.

Security researcher Zeyad Azima has published a Python scanner to identify vulnerable HugeGraph implementations.

Given the severity of this vulnerability and the availability of POC exploit code, users should upgrade to the latest version immediately.

Apache HugeGraph reports critical flaw, POC exploit code published

Read More
JetBrains warns users of IntelliJ IDE flaw leaking …
VMware reports critical vulnerability in vCenter
Arcserve Unified Data Protection reports three critical issues, …
CISA Reports Actively Exploited VMware ESXi Flaw in …
ForceMemo: Hundreds of GitHub Python Repos Compromised via …