Securityer7 specialists provided detailed analysis in the popular graph database Apache HugegrAP H, revealing a vulnerability that allows remote code execution (RCE).
CVE-2024-27348 (CVSS: 9.8) was identified in versions of hugegraph-server 1.0.0 – 1.3.0. The exploit involves bypassing sandbox restrictions and executing remote code using specially crafted Gremlin commands.
Gremlin commands exploit weaknesses in SecurityManager reflection filtering, enabling attackers to gain full control over the server. This vulnerability could lead to data theft, network espionage, ransomware deployment, and other malicious activities.
Apache Hugegraph enables developers to build applications on graph databases, commonly used in Java 8 and Java 11 environments. The discovered vulnerability poses a significant threat to organizations utilizing Apache Hugegraph.
In April, when the issue was first disclosed, Apache Software Foundation urgently advised users to update to version 1.3.0 and activate the authentication system to mitigate the vulnerability. Enhancing security measures, such as enabling “Whitelist-IP/Port” functionality, is also recommended to bolster protection for RESTful APIs.
With the availability of POC exploits, the risk of exploitation has markedly increased. One exploit, shared by Baghanter Milan Jovich, enables unauthorized attackers to execute commands on vulnerable versions. Another developer, Zeyad Azima, released a Python scanner designed for ethical hacking purposes, aiding in the identification of Hugegraph vulnerabilities.
Given the widespread usage of Apache Hugegraph and the criticality of CVE-2024-27348, immediate updating to version 1.3.0 is imperative. If your project has yet to transition to version 1.3.0, it is advised to do so promptly