CVE-2024-27438

EPSS 2.91%
Veröffentlicht 21.03.2024 10:15:08
Zuletzt bearbeitet 17.06.2025 13:50:01
Quelle security@apache.org
Teams Watchlist Login
Unerledigt Login

Download of Code Without Integrity Check vulnerability in Apache Doris.
The jdbc driver files used for JDBC catalog is not checked and may resulting in remote command execution.
Once the attacker is authorized to create a JDBC catalog, he/she can use arbitrary driver jar file with unchecked code snippet. This code snippet will be run when catalog is initializing without any check.
This issue affects Apache Doris: from 1.2.0 through 2.0.4.

Users are recommended to upgrade to version 2.0.5 or 2.1.x, which fixes the issue.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 5

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Apache ≫ Doris Version >= 1.2.0 < 2.0.5

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	2.91%	0.858

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
134c704f-9b21-4f2e-91b3-4a467353bcc0	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-494 Download of Code Without Integrity Check

The product downloads source code or an executable from a remote location and executes the code without sufficiently verifying the origin and integrity of the code.

http://www.openwall.com/lists/oss-security/2024/03/21/1

Mailing List

https://lists.apache.org/thread/h95h82b0svlnwcg6c2xq4b08j6gwgczh

Mitigation

https://nvd.nist.gov/vuln/detail/CVE-2024-27438

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-27438

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-27438

EUVD