Received: by 2002:ab2:6203:0:b0:1f5:f2ab:c469 with SMTP id o3csp2270612lqt;
        Mon, 22 Apr 2024 06:31:56 -0700 (PDT)
X-Forwarded-Encrypted: i=2; AJvYcCVmB89g0DZgsLuNOBTp096iQdvOGzPkDLZVxAtQX+hZhUo7I6ZHg/nTJ4I5mmjIJjmaDzrT4oZcwYyGnH7CBKsBzMJAnaZyTgjCq0nJAQ==
X-Google-Smtp-Source: AGHT+IHRxWXwOQCGzxqchaKEtZ+1flMM5OlJZL8rMbYFw1o6TzGfsEVsWXkceEPGLTYT8Mt8Ht7h
X-Received: by 2002:a17:907:944a:b0:a55:bc7b:73c5 with SMTP id dl10-20020a170907944a00b00a55bc7b73c5mr1622928ejc.36.1713792716671;
        Mon, 22 Apr 2024 06:31:56 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1713792716; cv=none;
        d=google.com; s=arc-20160816;
        b=m0CdfnfWJJvg6HEasWoHWQxEwMpacax9hKbzzSFOjYmZWOUInVh+XPUN0bKDI1SQyN
         m8A+D+WGyj2of5zyraojkQdY0dw6vUJMrp/O6AUULRAbe/ACDCl9wvAONCR6GH1DiLfl
         j1r2/ovvzbDsKoOKJoovyIgVQfB87pYdj05SWnYW9DQ6IVNQLoPdw97VahoU3AsS4jml
         PcYQ8mqTCkrnehG7Q2qw3YKMvjjaC3nzhpF7l4vvCotCwo06zuIcp4zvh1I2xX4swQSB
         DAFtSRSyCnK68TvRPW4aBRKzG1O6l8TaKvSgIUotuJdcukd3n91OR8kjRa2/HbJ8UEAC
         aW+g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=subject:to:message-id:date:from:in-reply-to:references:mime-version
         :delivered-to:delivered-to:reply-to:list-id:list-subscribe
         :list-unsubscribe:list-help:list-post:precedence:mailing-list;
        bh=OT2ZPnVTVcKHnLVCYMCh4755gkxhq011lMO95NCfs7s=;
        fh=9jsPTyo6edd9xvAeG+KFFrRrXMmgB/RdwUKOrvy9dcA=;
        b=a5cTu9SY7krw4VijuRFpGNRNS0uN/vgaOQUUIVp9bO3ytWMsZIQBmIm8rIeVmviQiX
         hxQWo8nzm8/iSp+DFlsPNeO9a+BcbDoKkRZq0iaAaIUUZvM23d7Xh/zr8JeKHODMMt6J
         Qk3gVfw3BTmOfn9agTla/JYJaPaFRxatPQcQ2lbiMkMCdUyvlH6UY0P5F5U2H7yLrb2R
         ykLlEZK+tQRDia4Zy0AU2D+fmV+luy4spATSBv7dt3nCLtoJE+T8fw8PxSSCNutMKhmG
         TjMZkDP9hJIQlzyvtRabXej6G5U4/lXN3VrrF8vKJW3MMOw6qqC9FtS4fdoUbB2ojKc2
         NyDg==;
        dara=google.com
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of oss-security-return-30069-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) smtp.mailfrom="oss-security-return-30069-linux.lists.archive=gmail.com@lists.openwall.com"
Return-Path: <oss-security-return-30069-linux.lists.archive=gmail.com@lists.openwall.com>
Received: from second.openwall.net (second.openwall.net. [193.110.157.125])
        by mx.google.com with SMTP id xa4-20020a170907b9c400b00a5872419decsi130840ejc.593.2024.04.22.06.31.56
        for <linux.lists.archive@gmail.com>;
        Mon, 22 Apr 2024 06:31:56 -0700 (PDT)
Received-SPF: pass (google.com: domain of oss-security-return-30069-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) client-ip=193.110.157.125;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of oss-security-return-30069-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) smtp.mailfrom="oss-security-return-30069-linux.lists.archive=gmail.com@lists.openwall.com"
Received: (qmail 3217 invoked by uid 550); 22 Apr 2024 13:29:23 -0000
Mailing-List: contact oss-security-help@lists.openwall.com; run by ezmlm
Precedence: bulk
List-Post: <mailto:oss-security@lists.openwall.com>
List-Help: <mailto:oss-security-help@lists.openwall.com>
List-Unsubscribe: <mailto:oss-security-unsubscribe@lists.openwall.com>
List-Subscribe: <mailto:oss-security-subscribe@lists.openwall.com>
List-ID: <oss-security.lists.openwall.com>
Reply-To: oss-security@lists.openwall.com
Delivered-To: mailing list oss-security@lists.openwall.com
Delivered-To: moderator for oss-security@lists.openwall.com
Received: (qmail 22425 invoked from network); 22 Apr 2024 07:39:40 -0000
Authentication-Results: apache.org; auth=none
X-Gm-Message-State: AOJu0YyQJS/POOaLTuTr3XyRMAUlphC8eDNN/vmtLQtbNTmYCW/i8yeg
	9I67HfMtgf2dD3LL4rpsSdmkpFFPQBLpLELEU1p5BUJYXOfXoXH1F2cgB7XOInnWxMl25ayHeDL
	VZHEHB099qyLYYz2QsNlmntq396s=
X-Received: by 2002:ad4:4a0a:0:b0:69b:51b7:b1ce with SMTP id
 m10-20020ad44a0a000000b0069b51b7b1cemr8541355qvz.21.1713771470149; Mon, 22
 Apr 2024 00:37:50 -0700 (PDT)
MIME-Version: 1.0
References: <CA+th4M+hZFd+u7zGbHhJ9acv0WFnOs95JiDek0ZWocCw+fN_5g@mail.gmail.com>
In-Reply-To: <CA+th4M+hZFd+u7zGbHhJ9acv0WFnOs95JiDek0ZWocCw+fN_5g@mail.gmail.com>
From: Imba Jin <jin@apache.org>
Date: Mon, 22 Apr 2024 15:37:38 +0800
X-Gmail-Original-Message-ID: <CA+th4MLqu7Fb+XM_RZxBcFMJJAnhoPqKWMMmWGCCg1j_YA2x8A@mail.gmail.com>
Message-ID: <CA+th4MLqu7Fb+XM_RZxBcFMJJAnhoPqKWMMmWGCCg1j_YA2x8A@mail.gmail.com>
To: oss-security@lists.openwall.com
Content-Type: text/plain; charset="UTF-8"
Subject: [oss-security] CVE-2024-27348: Apache HugeGraph-Server: Command execution in gremlin

Severity: important

Affected versions:

- Apache HugeGraph-Server 1.0.0 before 1.3.0

Description:

RCE-Remote Command Execution vulnerability in Apache
HugeGraph-Server.This issue affects Apache HugeGraph-Server: from
1.0.0 before 1.3.0 in Java8 & Java11

Users are recommended to upgrade to version 1.3.0 with Java11 & enable
the Auth system, which fixes the issue.

Also you could enable the "Whitelist-IP/port" function to improve the
security of RESTful-API execution

Credit:

6right of moresec (reporter)

References:

https://hugegraph.apache.org/docs/config/config-authentication/#configure-user-authentication
https://hugegraph.apache.org/docs/download/download/
https://www.cve.org/CVERecord?id=CVE-2024-27348