CVE-2024-27348
Remote Command Execution vulnerability in hugegraph-api (Maven)
What is CVE-2024-27348 About?
This vulnerability allows for Remote Command Execution (RCE) in Apache HugeGraph-Server versions from 1.0.0 before 1.3.0. An attacker can exploit this flaw to execute arbitrary commands on the server. The impact is severe, potentially leading to full system compromise, and its exploitation is reliable.
Affected Software
- org.apache.hugegraph:hugegraph-api
- >1.0.0, <1.3.0
- org.apache.hugegraph:hugegraph-core
- >1.0.0, <1.3.0
Technical Details
Apache HugeGraph-Server versions from 1.0.0 up to 1.3.0 (exclusive) for Java 8 and Java 11 deployments contain a vulnerability that permits Remote Command Execution. The specifics of the mechanism are not detailed in the summary, but RCE vulnerabilities typically stem from improper input validation, insecure deserialization, or command injection flaws. An attacker can send specially crafted input that, when processed by the HugeGraph-Server, triggers the execution of arbitrary operating system commands on the underlying host. The vulnerability is present when the Auth system is not enabled, indicating a potential bypass of security controls or a direct vulnerability in a processing component. Successful exploitation grants the attacker control over the server.
What is the Impact of CVE-2024-27348?
Successful exploitation may allow attackers to execute arbitrary commands on the server, leading to full system compromise, data exfiltration, or complete disruption of services.
What is the Exploitability of CVE-2024-27348?
Exploitation of this RCE vulnerability is considered highly confident, meaning reliable exploits likely exist and are stable. The attack is remote, requiring no local access. Authentication requirements are not explicitly stated, but the remediation mentions enabling the Auth system, suggesting that the vulnerability might be exploitable without authentication if the Auth system is disabled. Privilege requirements would typically be those of the running HugeGraph-Server process. The main prerequisite is the use of an affected version of HugeGraph-Server with Java 8 or 11, and crucially, without the Auth system enabled. The existence of high confidence exploits signifies that the complexity barrier to exploitation is low, increasing the likelihood of successful attacks.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| Zeyad-Azima | Link | Apache HugeGraph Server RCE Scanner ( CVE-2024-27348 ) |
| kljunowsky | Link | Apache HugeGraph Server Unauthenticated RCE - CVE-2024-27348 Proof of concept Exploit |
| jakabakos | Link | PoC for CVE-2024-27348 |
What are the Available Fixes for CVE-2024-27348?
Available Upgrade Options
- org.apache.hugegraph:hugegraph-api
- >1.0.0, <1.3.0 → Upgrade to 1.3.0
- org.apache.hugegraph:hugegraph-core
- >1.0.0, <1.3.0 → Upgrade to 1.3.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- http://www.openwall.com/lists/oss-security/2024/04/22/3
- https://www.vicarius.io/vsociety/posts/remote-code-execution-vulnerability-in-apache-hugegraph-server-cve-2024-27348
- https://lists.apache.org/thread/nx6g6htyhpgtzsocybm242781o8w5kq9
- https://nvd.nist.gov/vuln/detail/CVE-2024-27348
- https://hugegraph.apache.org/docs/config/config-authentication/#configure-user-authentication
- https://www.vicarius.io/vsociety/posts/remote-code-execution-vulnerability-in-apache-hugegraph-server-cve-2024-27348
- https://github.com/apache/incubator-hugegraph
- https://github.com/apache/incubator-hugegraph/commit/713d88d1fd9953c3c3e3f130389501910ba40e1d
- https://lists.apache.org/thread/nx6g6htyhpgtzsocybm242781o8w5kq9
- https://hugegraph.apache.org/docs/config/config-authentication/#configure-user-authentication
What are Similar Vulnerabilities to CVE-2024-27348?
Similar Vulnerabilities: CVE-2021-44228 , CVE-2022-22965 , CVE-2023-27350 , CVE-2020-13935 , CVE-2019-0232
