CVE-2024-27438

EPSS 2.34%
Veröffentlicht 21.03.2024 10:15:08
Zuletzt bearbeitet 17.06.2025 13:50:01
Quelle security@apache.org
CVE-Watchlists
Login
Unerledigt
Login

Apache Doris: Downloading arbitrary remote jar files resulting in remote command execution

Download of Code Without Integrity Check vulnerability in Apache Doris.
The jdbc driver files used for JDBC catalog is not checked and may resulting in remote command execution.
Once the attacker is authorized to create a JDBC catalog, he/she can use arbitrary driver jar file with unchecked code snippet. This code snippet will be run when catalog is initializing without any check.
This issue affects Apache Doris: from 1.2.0 through 2.0.4.

Users are recommended to upgrade to version 2.0.5 or 2.1.x, which fixes the issue.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 5

NVD 1 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Apache ≫ Doris Version >= 1.2.0 < 2.0.5

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	2.34%	0.849

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
134c704f-9b21-4f2e-91b3-4a467353bcc0	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-494 Download of Code Without Integrity Check

The product downloads source code or an executable from a remote location and executes the code without sufficiently verifying the origin and integrity of the code.

http://www.openwall.com/lists/oss-security/2024/03/21/1

Mailing List

https://lists.apache.org/thread/h95h82b0svlnwcg6c2xq4b08j6gwgczh

Mitigation

https://nvd.nist.gov/vuln/detail/CVE-2024-27438

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-27438

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-27438

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2024-27438