• AutoTL;DR@lemmings.worldB
    link
    fedilink
    English
    arrow-up
    1
    ·
    5 months ago

    This is the best summary I could come up with:


    If you haven’t yet upgraded to version 1.3.0 of Apache HugeGraph, now’s a good time because at least two proof-of-concept exploits for a CVSS 9.8-rated remote command execution bug in the open-source graph database have been made public.

    The issue, CVE-2024-27348, can be abused to bypass sandbox restrictions, and achieve remote code execution using specially crafted Gremlin commands that exploit missing reflection filtering in the SecurityManager.

    If exploited, the flaw ultimately gives the attacker complete control over the server and allows them to steal confidential data, snoop around the victim organization’s internal network, deploy ransomware, or perform any other number of evil deeds.

    In disclosing the bug back in April, the open source project urged users to upgrade to version 1.3.0 with Java11 and enable the Auth system to fix the flaw.

    One POC exploit, contributed by bug bounty hunter Milan Jovic, allows unauthenticated users to execute OS commands on vulnerable versions.

    Another exploit developer, Zeyad Azima, has released a Python scanner, which, while intended to be used for ethical purposes only, will make it easier for anyone to find vulnerable HugeGraph implementations.


    The original article contains 348 words, the summary contains 183 words. Saved 47%. I’m a bot and I’m open source!