CVE-2024-27348
CRITICAL9.8⚠ KEVEPSS 94.3%Apache HugeGraph-Server: Command execution in gremlin
Published: 4/22/2024Modified: 10/22/2025Added to CISA KEV: 9/18/2024
Description
RCE-Remote Command Execution vulnerability in Apache HugeGraph-Server.This issue affects Apache HugeGraph-Server: from 1.0.0 before 1.3.0 in Java8 & Java11 Users are recommended to upgrade to version 1.3.0 with Java11 & enable the Auth system, which fixes the issue.
Affected packages (2)
- Maven/org.apache.hugegraph:hugegraph-api>= 1.0.0, < 1.3.0
- Maven/org.apache.hugegraph:hugegraph-core>= 1.0.0, < 1.3.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A |
| osv | CVSS 3.1 | CRITICAL9.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H |
References (8)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2024-27348
- PATCHhttps://github.com/apache/incubator-hugegraph
- WEBhttps://github.com/apache/incubator-hugegraph/commit/713d88d1fd9953c3c3e3f130389501910ba40e1d
- WEBhttps://hugegraph.apache.org/docs/config/config-authentication/#configure-user-authentication
- WEBhttps://lists.apache.org/thread/nx6g6htyhpgtzsocybm242781o8w5kq9
- WEBhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-27348
- WEBhttps://www.vicarius.io/vsociety/posts/remote-code-execution-vulnerability-in-apache-hugegraph-server-cve-2024-27348
- WEBhttp://www.openwall.com/lists/oss-security/2024/04/22/3