CVE-2024-27438

EPSS 2.91%
Published 21.03.2024 10:15:08
Last modified 17.06.2025 13:50:01
Source security@apache.org
Teams watchlist Login
Open Login

Download of Code Without Integrity Check vulnerability in Apache Doris.
The jdbc driver files used for JDBC catalog is not checked and may resulting in remote command execution.
Once the attacker is authorized to create a JDBC catalog, he/she can use arbitrary driver jar file with unchecked code snippet. This code snippet will be run when catalog is initializing without any check.
This issue affects Apache Doris: from 1.2.0 through 2.0.4.

Users are recommended to upgrade to version 2.0.5 or 2.1.x, which fixes the issue.

Affected products Warnungen 0 Metrics 2 CWE 1 References 5

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

This information is available to logged-in users.

Data is provided by the National Vulnerability Database (NVD)

Apache ≫ Doris Version >= 1.2.0 < 2.0.5

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	2.91%	0.858

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
134c704f-9b21-4f2e-91b3-4a467353bcc0	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-494 Download of Code Without Integrity Check

The product downloads source code or an executable from a remote location and executes the code without sufficiently verifying the origin and integrity of the code.

http://www.openwall.com/lists/oss-security/2024/03/21/1

Mailing List

https://lists.apache.org/thread/h95h82b0svlnwcg6c2xq4b08j6gwgczh

Mitigation

https://nvd.nist.gov/vuln/detail/CVE-2024-27438

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-27438

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-27438

EUVD