Months after a patch was released, a vulnerability in the Apache HugeGraph server is being exploited to allow remote code execution (RCE) on vulnerable endpoints.
The nonprofit security organization Shadowserver Foundation sounded the alarm about Mastodon, noting: “We are observing Apache HugeGraph-Server CVE-2024-27348 RCE “POST /gremlin” exploitation attempts from multiple sources,” the alert read. “PoC code has been public since early June. If you are using HugeGraph, please ensure you update.”
The vulnerability that Shadowserver Foundation refers to is described as a remote command execution vulnerability in the Gremlin graph traversal language API. It has a severity rating of 9.8 and affects all versions of the software prior to 1.3.0.
What is Apache HugeGraph?
Version 1.3.0, which addresses the issue, was released in April 2024. At the time, the Apache Software Foundation urged its users to apply the patch and enable the Auth system. “You may also want to enable the ‘Whitelist IP/port’ feature to improve the security of RESTful API execution,” it said at the time.
Apache HugeGraph is an open source graph database system, supporting the storage and querying of billions of vertices and edges. Implemented using the Apache TinkerPop3 framework, it is fully compatible with the Gremlin query language, enabling complex graph queries and analysis.
HugeGraph is suitable for various applications such as deep relationship exploration, association analysis, path search, feature extraction, data clustering, community detection and knowledge graphs. It is used in fields such as network security, telecommunication fraud detection, financial risk management, advertising recommendation, social networking and intelligent robots.
HugeGraph-Server, or on the other hand, is the core component of the Apache HugeGraph project, responsible for handling the storage, querying, and management of graph data. It is designed to efficiently manage and process large-scale graph data, support various backend storage engines, and provide robust APIs to interact with the data.
Through TheHackerNews