this post was submitted on 07 Jun 2024
11 points (100.0% liked)

Cybersecurity

5965 readers
126 users here now

c/cybersecurity is a community centered on the cybersecurity and information security profession. You can come here to discuss news, post something interesting, or just chat with others.

THE RULES

Instance Rules

Community Rules

If you ask someone to hack your "friends" socials you're just going to get banned so don't do that.

Learn about hacking

Hack the Box

Try Hack Me

Pico Capture the flag

Other security-related communities [email protected] [email protected] [email protected] [email protected] [email protected]

Notable mention to [email protected]

founded 2 years ago
MODERATORS
top 1 comments
sorted by: hot top controversial new old
[–] [email protected] 1 points 7 months ago

This is the best summary I could come up with:


If you haven't yet upgraded to version 1.3.0 of Apache HugeGraph, now's a good time because at least two proof-of-concept exploits for a CVSS 9.8-rated remote command execution bug in the open-source graph database have been made public.

The issue, CVE-2024-27348, can be abused to bypass sandbox restrictions, and achieve remote code execution using specially crafted Gremlin commands that exploit missing reflection filtering in the SecurityManager.

If exploited, the flaw ultimately gives the attacker complete control over the server and allows them to steal confidential data, snoop around the victim organization's internal network, deploy ransomware, or perform any other number of evil deeds.

In disclosing the bug back in April, the open source project urged users to upgrade to version 1.3.0 with Java11 and enable the Auth system to fix the flaw.

One POC exploit, contributed by bug bounty hunter Milan Jovic, allows unauthenticated users to execute OS commands on vulnerable versions.

Another exploit developer, Zeyad Azima, has released a Python scanner, which, while intended to be used for ethical purposes only, will make it easier for anyone to find vulnerable HugeGraph implementations.


The original article contains 348 words, the summary contains 183 words. Saved 47%. I'm a bot and I'm open source!