Known Exploited Vulnerability
9.8
CRITICAL
CVE-2024-27348
Apache HugeGraph-Server Improper Access Control Vu - [Actively Exploited]
Description

RCE-Remote Command Execution vulnerability in Apache HugeGraph-Server.This issue affects Apache HugeGraph-Server: from 1.0.0 before 1.3.0 in Java8 & Java11 Users are recommended to upgrade to version 1.3.0 with Java11 & enable the Auth system, which fixes the issue.

INFO

Published Date :

April 22, 2024, 2:15 p.m.

Last Modified :

Sept. 19, 2024, 7:55 p.m.

Remotely Exploitable :

Yes !

Impact Score :

5.9

Exploitability Score :

3.9
CISA Notification
CISA KEV (Known Exploited Vulnerabilities)

For the benefit of the cybersecurity community and network defenders—and to help every organization better manage vulnerabilities and keep pace with threat activity—CISA maintains the authoritative source of vulnerabilities that have been exploited in the wild.

Description :

Apache HugeGraph-Server contains an improper access control vulnerability that could allow a remote attacker to execute arbitrary code.

Required Action :

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Notes :

This vulnerability affects a common open-source component, third-party library, or a protocol used by different products. For more information, please see: https://lists.apache.org/thread/nx6g6htyhpgtzsocybm242781o8w5kq9 ; https://nvd.nist.gov/vuln/detail/CVE-2024-27348

Public PoC/Exploit Available at Github

CVE-2024-27348 has a 12 public PoC/Exploit available at Github. Go to the Public Exploits tab to see the list.

Affected Products

The following products are affected by CVE-2024-27348 vulnerability. Even if cvefeed.io is aware of the exact versions of the products that are affected, the information is not represented in the table below.

ID Vendor Product Action
1 Oracle jdk
2 Oracle jre
1 Apache hugegraph
References to Advisories, Solutions, and Tools

Here, you will find a curated list of external links that provide in-depth information, practical solutions, and valuable tools related to CVE-2024-27348.

URL Resource
http://www.openwall.com/lists/oss-security/2024/04/22/3 Mailing List Third Party Advisory
https://hugegraph.apache.org/docs/config/config-authentication/#configure-user-authentication Product
https://lists.apache.org/thread/nx6g6htyhpgtzsocybm242781o8w5kq9 Mailing List Vendor Advisory

We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).

None

Updated: 4 weeks ago
0 stars 0 fork 0 watcher
Born at : Sept. 9, 2024, 1:28 a.m. This repo has been linked 128 different CVEs too.

None

HTML

Updated: 4 weeks ago
0 stars 0 fork 0 watcher
Born at : Sept. 4, 2024, 9:24 a.m. This repo has been linked 128 different CVEs too.

None

HTML

Updated: 1 month, 3 weeks ago
5 stars 0 fork 0 watcher
Born at : Aug. 2, 2024, 6:07 a.m. This repo has been linked 123 different CVEs too.

None

Updated: 2 months, 1 week ago
1 stars 0 fork 0 watcher
Born at : June 14, 2024, 6:54 a.m. This repo has been linked 95 different CVEs too.

None

Python

Updated: 2 months, 1 week ago
4 stars 1 fork 1 watcher
Born at : June 12, 2024, 8:14 a.m. This repo has been linked 1 different CVEs too.

Apache HugeGraph Server Unauthenticated RCE - CVE-2024-27348 Proof of concept Exploit

apache application-security bugbounty bugbounty-tool bugbountytips exploit hack hacking-tool malware penetration-testing-tools platform-security rce security unauthenticated web-application-security zero-day zero-day-exploit cve-2024-27348 hugehraph one-day-exploit

Python

Updated: 1 month ago
15 stars 7 fork 7 watcher
Born at : June 3, 2024, 7:08 p.m. This repo has been linked 1 different CVEs too.

Apache HugeGraph Server RCE Scanner ( CVE-2024-27348 )

apache cve cve-scanning exploit vulnerability vulnerability-scanners

Python

Updated: 1 month, 1 week ago
55 stars 14 fork 14 watcher
Born at : May 31, 2024, 8:11 p.m. This repo has been linked 1 different CVEs too.

None

Python

Updated: 3 months, 2 weeks ago
0 stars 0 fork 0 watcher
Born at : May 11, 2024, 4:27 p.m. This repo has been linked 9 different CVEs too.

None

HTML Python

Updated: 3 months, 1 week ago
13 stars 1 fork 1 watcher
Born at : April 17, 2024, 8:46 a.m. This repo has been linked 100 different CVEs too.

收集整理漏洞EXP/POC,大部分漏洞来源网络,目前收集整理了1000多个poc/exp,长期更新。

Updated: 4 weeks, 1 day ago
3420 stars 699 fork 699 watcher
Born at : Aug. 19, 2023, 12:08 p.m. This repo has been linked 125 different CVEs too.

Ostorlab KEV: One-command to detect most remotely known exploitable vulnerabilities. Sourced from CISA KEV, Google's Tsunami, Ostorlab's Asteroid and Bug Bounty programs.

cisa-kev vulnerability 0day cisa exploits

Updated: 1 month ago
516 stars 32 fork 32 watcher
Born at : April 19, 2022, 8:58 a.m. This repo has been linked 1181 different CVEs too.

📡 PoC auto collect from GitHub. ⚠️ Be careful Malware.

security cve exploit poc vulnerability

Updated: 4 weeks, 1 day ago
6375 stars 1107 fork 1107 watcher
Born at : Dec. 8, 2019, 1:03 p.m. This repo has been linked 904 different CVEs too.

Results are limited to the first 15 repositories due to potential performance issues.

The following list is the news that have been mention CVE-2024-27348 vulnerability anywhere in the article.

  • The Register
Apple's latest macOS release is breaking security software, network connections

Infosec In Brief Something's wrong with macOS Sequoia, and it's breaking security software installed on some updated Apple systems. Sequoia, aka macOS 15, was released on Monday of last week. By Thurs ... Read more

Published Date: Sep 23, 2024 (2 weeks ago)
  • BleepingComputer
CISA warns of actively exploited Apache HugeGraph-Server bug

The U.S. Cybersecurity and Infrastructure Agency (CISA) has added five flaws to its Known Exploited Vulnerabilities (KEV) catalog, among which is a remote code execution (RCE) flaw impacting Apache Hu ... Read more

Published Date: Sep 19, 2024 (2 weeks, 4 days ago)
  • The Cyber Express
5 New Vulnerabilities Added to CISA’s Known Exploited List: Urgent Action Required

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added five new vulnerabilities to its Known Exploited Vulnerabilities Catalog, highlighting the continued threat that these securit ... Read more

Published Date: Sep 19, 2024 (2 weeks, 4 days ago)
  • security.nl
CISA: kritiek lek in Apache HugeGraph-servers actief aangevallen

Aanvallers maken actief misbruik van een kritieke kwetsbaarheid in Apache HugeGraph Server waarvoor in april een beveiligingsupdate verscheen. Dat laat het Cybersecurity and Infrastructure Security Ag ... Read more

Published Date: Sep 19, 2024 (2 weeks, 4 days ago)
  • The Hacker News
GitLab Patches Critical SAML Authentication Bypass Flaw in CE and EE Editions

Enterprise Security / DevOps GitLab has released patches to address a critical flaw impacting Community Edition (CE) and Enterprise Edition (EE) that could result in an authentication bypass. The vuln ... Read more

Published Date: Sep 19, 2024 (2 weeks, 4 days ago)
  • Cybersecurity News
CISA Warns of Actively Exploited Apache, Microsoft, and Oracle Vulnerabilities

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning to federal agencies and organizations worldwide: five newly identified security vulnerabilities are being actively ... Read more

Published Date: Sep 19, 2024 (2 weeks, 4 days ago)
  • Cybersecurity News
CVE-2024-42479 (CVSS 10) in Popular Python Package llama_cpp_python Exposes Millions to RCE

Please enable JavaScriptA severe security vulnerability has been discovered in the widely-used AI library llama_cpp_python, potentially allowing threat actors to execute malicious code on affected sys ... Read more

Published Date: Aug 15, 2024 (1 month, 3 weeks ago)
  • Cybersecurity News
CVE-2024-36877 in MSI Motherboards Opens Door to Code Execution Attacks, PoC Published

MSI, a leading manufacturer of computer hardware, has recently disclosed a critical vulnerability, tracked as CVE-2024-36877, that affects a wide range of its motherboards. The vulnerability, residing ... Read more

Published Date: Aug 15, 2024 (1 month, 3 weeks ago)
  • Cybersecurity News
Dark Skippy: New Threat Steals Secret Keys from Signing Devices

A serious security threat called Dark Skippy has emerged in the cryptocurrency world. This method allows malicious actors to extract private keys from transaction signing devices, such as hardware wal ... Read more

Published Date: Aug 12, 2024 (1 month, 3 weeks ago)
  • Cybersecurity News
CVE-2024-21302, CVE-2024-38202: Zero-Day Vulnerabilities Expose Windows Systems to “Unpatching” Attacks

At Black Hat 2024, security researcher Alon Leviev from SafeBreach security researcher unveiled two zero-day vulnerabilities (CVE-2024-21302, CVE-2024-38202) that could be exploited to reverse patches ... Read more

Published Date: Aug 08, 2024 (1 month, 4 weeks ago)
  • The Hacker News
Critical Apache HugeGraph Vulnerability Under Attack - Patch ASAP

Vulnerability / Data Security Threat actors are actively exploiting a recently disclosed critical security flaw impacting Apache HugeGraph-Server that could lead to remote code execution attacks. Trac ... Read more

Published Date: Jul 17, 2024 (2 months, 2 weeks ago)

The following table lists the changes that have been made to the CVE-2024-27348 vulnerability over time.

Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.

  • Initial Analysis by [email protected]

    Sep. 19, 2024

    Action Type Old Value New Value
    Added CVSS V3.1 NIST AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    Changed Reference Type http://www.openwall.com/lists/oss-security/2024/04/22/3 No Types Assigned http://www.openwall.com/lists/oss-security/2024/04/22/3 Mailing List, Third Party Advisory
    Changed Reference Type https://hugegraph.apache.org/docs/config/config-authentication/#configure-user-authentication No Types Assigned https://hugegraph.apache.org/docs/config/config-authentication/#configure-user-authentication Product
    Changed Reference Type https://lists.apache.org/thread/nx6g6htyhpgtzsocybm242781o8w5kq9 No Types Assigned https://lists.apache.org/thread/nx6g6htyhpgtzsocybm242781o8w5kq9 Mailing List, Vendor Advisory
    Added CWE NIST NVD-CWE-noinfo
    Added CPE Configuration AND OR *cpe:2.3:a:apache:hugegraph:*:*:*:*:*:*:*:* versions from (including) 1.0.0 up to (excluding) 1.3.0 OR cpe:2.3:a:oracle:jdk:8:*:*:*:*:*:*:* cpe:2.3:a:oracle:jdk:11:*:*:*:*:*:*:* cpe:2.3:a:oracle:jre:8:*:*:*:*:*:*:* cpe:2.3:a:oracle:jre:11:*:*:*:*:*:*:*
  • CVE CISA KEV Update by 9119a7d8-5eab-497f-8521-727c672e3725

    Sep. 19, 2024

    Action Type Old Value New Value
    Added Date Added 2024-09-18
    Added Vulnerability Name Apache HugeGraph-Server Improper Access Control Vulnerability
    Added Due Date 2024-10-09
    Added Required Action Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
  • CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0

    Aug. 01, 2024

    Action Type Old Value New Value
    Added CWE CISA-ADP CWE-284
    Added CVSS V3.1 CISA-ADP AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • CVE Modified by [email protected]

    May. 14, 2024

    Action Type Old Value New Value
  • CVE Modified by [email protected]

    May. 01, 2024

    Action Type Old Value New Value
    Added Reference Apache Software Foundation http://www.openwall.com/lists/oss-security/2024/04/22/3 [No types assigned]
  • CVE Received by [email protected]

    Apr. 22, 2024

    Action Type Old Value New Value
    Added Description RCE-Remote Command Execution vulnerability in Apache HugeGraph-Server.This issue affects Apache HugeGraph-Server: from 1.0.0 before 1.3.0 in Java8 & Java11 Users are recommended to upgrade to version 1.3.0 with Java11 & enable the Auth system, which fixes the issue.
    Added Reference Apache Software Foundation https://hugegraph.apache.org/docs/config/config-authentication/#configure-user-authentication [No types assigned]
    Added Reference Apache Software Foundation https://lists.apache.org/thread/nx6g6htyhpgtzsocybm242781o8w5kq9 [No types assigned]
EPSS is a daily estimate of the probability of exploitation activity being observed over the next 30 days. Following chart shows the EPSS score history of the vulnerability.
CWE - Common Weakness Enumeration

While CVE identifies specific instances of vulnerabilities, CWE categorizes the common flaws or weaknesses that can lead to vulnerabilities. CVE-2024-27348 is associated with the following CWEs:

CVSS31 - Vulnerability Scoring System
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability