Received: by 2002:ab2:6203:0:b0:1f5:f2ab:c469 with SMTP id o3csp2270612lqt; Mon, 22 Apr 2024 06:31:56 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCVmB89g0DZgsLuNOBTp096iQdvOGzPkDLZVxAtQX+hZhUo7I6ZHg/nTJ4I5mmjIJjmaDzrT4oZcwYyGnH7CBKsBzMJAnaZyTgjCq0nJAQ== X-Google-Smtp-Source: AGHT+IHRxWXwOQCGzxqchaKEtZ+1flMM5OlJZL8rMbYFw1o6TzGfsEVsWXkceEPGLTYT8Mt8Ht7h X-Received: by 2002:a17:907:944a:b0:a55:bc7b:73c5 with SMTP id dl10-20020a170907944a00b00a55bc7b73c5mr1622928ejc.36.1713792716671; Mon, 22 Apr 2024 06:31:56 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1713792716; cv=none; d=google.com; s=arc-20160816; b=m0CdfnfWJJvg6HEasWoHWQxEwMpacax9hKbzzSFOjYmZWOUInVh+XPUN0bKDI1SQyN m8A+D+WGyj2of5zyraojkQdY0dw6vUJMrp/O6AUULRAbe/ACDCl9wvAONCR6GH1DiLfl j1r2/ovvzbDsKoOKJoovyIgVQfB87pYdj05SWnYW9DQ6IVNQLoPdw97VahoU3AsS4jml PcYQ8mqTCkrnehG7Q2qw3YKMvjjaC3nzhpF7l4vvCotCwo06zuIcp4zvh1I2xX4swQSB DAFtSRSyCnK68TvRPW4aBRKzG1O6l8TaKvSgIUotuJdcukd3n91OR8kjRa2/HbJ8UEAC aW+g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=subject:to:message-id:date:from:in-reply-to:references:mime-version :delivered-to:delivered-to:reply-to:list-id:list-subscribe :list-unsubscribe:list-help:list-post:precedence:mailing-list; bh=OT2ZPnVTVcKHnLVCYMCh4755gkxhq011lMO95NCfs7s=; fh=9jsPTyo6edd9xvAeG+KFFrRrXMmgB/RdwUKOrvy9dcA=; b=a5cTu9SY7krw4VijuRFpGNRNS0uN/vgaOQUUIVp9bO3ytWMsZIQBmIm8rIeVmviQiX hxQWo8nzm8/iSp+DFlsPNeO9a+BcbDoKkRZq0iaAaIUUZvM23d7Xh/zr8JeKHODMMt6J Qk3gVfw3BTmOfn9agTla/JYJaPaFRxatPQcQ2lbiMkMCdUyvlH6UY0P5F5U2H7yLrb2R ykLlEZK+tQRDia4Zy0AU2D+fmV+luy4spATSBv7dt3nCLtoJE+T8fw8PxSSCNutMKhmG TjMZkDP9hJIQlzyvtRabXej6G5U4/lXN3VrrF8vKJW3MMOw6qqC9FtS4fdoUbB2ojKc2 NyDg==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of oss-security-return-30069-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) smtp.mailfrom="oss-security-return-30069-linux.lists.archive=gmail.com@lists.openwall.com" Return-Path: Received: from second.openwall.net (second.openwall.net. [193.110.157.125]) by mx.google.com with SMTP id xa4-20020a170907b9c400b00a5872419decsi130840ejc.593.2024.04.22.06.31.56 for ; Mon, 22 Apr 2024 06:31:56 -0700 (PDT) Received-SPF: pass (google.com: domain of oss-security-return-30069-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) client-ip=193.110.157.125; Authentication-Results: mx.google.com; spf=pass (google.com: domain of oss-security-return-30069-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) smtp.mailfrom="oss-security-return-30069-linux.lists.archive=gmail.com@lists.openwall.com" Received: (qmail 3217 invoked by uid 550); 22 Apr 2024 13:29:23 -0000 Mailing-List: contact oss-security-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Reply-To: oss-security@lists.openwall.com Delivered-To: mailing list oss-security@lists.openwall.com Delivered-To: moderator for oss-security@lists.openwall.com Received: (qmail 22425 invoked from network); 22 Apr 2024 07:39:40 -0000 Authentication-Results: apache.org; auth=none X-Gm-Message-State: AOJu0YyQJS/POOaLTuTr3XyRMAUlphC8eDNN/vmtLQtbNTmYCW/i8yeg 9I67HfMtgf2dD3LL4rpsSdmkpFFPQBLpLELEU1p5BUJYXOfXoXH1F2cgB7XOInnWxMl25ayHeDL VZHEHB099qyLYYz2QsNlmntq396s= X-Received: by 2002:ad4:4a0a:0:b0:69b:51b7:b1ce with SMTP id m10-20020ad44a0a000000b0069b51b7b1cemr8541355qvz.21.1713771470149; Mon, 22 Apr 2024 00:37:50 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Imba Jin Date: Mon, 22 Apr 2024 15:37:38 +0800 X-Gmail-Original-Message-ID: Message-ID: To: oss-security@lists.openwall.com Content-Type: text/plain; charset="UTF-8" Subject: [oss-security] CVE-2024-27348: Apache HugeGraph-Server: Command execution in gremlin Severity: important Affected versions: - Apache HugeGraph-Server 1.0.0 before 1.3.0 Description: RCE-Remote Command Execution vulnerability in Apache HugeGraph-Server.This issue affects Apache HugeGraph-Server: from 1.0.0 before 1.3.0 in Java8 & Java11 Users are recommended to upgrade to version 1.3.0 with Java11 & enable the Auth system, which fixes the issue. Also you could enable the "Whitelist-IP/port" function to improve the security of RESTful-API execution Credit: 6right of moresec (reporter) References: https://hugegraph.apache.org/docs/config/config-authentication/#configure-user-authentication https://hugegraph.apache.org/docs/download/download/ https://www.cve.org/CVERecord?id=CVE-2024-27348