Vulnerability Instance
Lookup for vulnerabilities affecting packages.
GET /api/vulnerabilities/55809?format=api
{ "url": "http://public2.vulnerablecode.io/api/vulnerabilities/55809?format=api", "vulnerability_id": "VCID-m79u-j9m4-ufbt", "summary": "RCE-Remote Command Execution vulnerability in Apache HugeGraph-Server.This issue affects Apache HugeGraph-Server: from 1.0.0 before 1.3.0 in Java8 & Java11\n\nUsers are recommended to upgrade to version 1.3.0 with Java11 & enable the Auth system, which fixes the issue.", "aliases": [ { "alias": "CVE-2024-27348" }, { "alias": "GHSA-29rc-vq7f-x335" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/30696?format=api", "purl": "pkg:maven/org.apache.hugegraph/hugegraph-api@1.3.0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.hugegraph/hugegraph-api@1.3.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/30700?format=api", "purl": "pkg:maven/org.apache.hugegraph/hugegraph-core@1.3.0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.hugegraph/hugegraph-core@1.3.0" } ], "affected_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/30695?format=api", "purl": "pkg:maven/org.apache.hugegraph/hugegraph-api@1.0.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-dxrn-hdrr-3qgc" }, { "vulnerability": "VCID-m79u-j9m4-ufbt" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.hugegraph/hugegraph-api@1.0.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/711311?format=api", "purl": "pkg:maven/org.apache.hugegraph/hugegraph-api@1.2.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-dxrn-hdrr-3qgc" }, { "vulnerability": "VCID-m79u-j9m4-ufbt" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.hugegraph/hugegraph-api@1.2.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/30699?format=api", "purl": "pkg:maven/org.apache.hugegraph/hugegraph-core@1.0.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-m79u-j9m4-ufbt" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.hugegraph/hugegraph-core@1.0.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/711310?format=api", "purl": "pkg:maven/org.apache.hugegraph/hugegraph-core@1.2.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-m79u-j9m4-ufbt" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.hugegraph/hugegraph-core@1.2.0" } ], "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27348", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.94344", "scoring_system": "epss", "scoring_elements": "0.99959", "published_at": "2026-06-14T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27348" }, { "reference_url": "https://github.com/apache/incubator-hugegraph", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/incubator-hugegraph" }, { "reference_url": "https://github.com/apache/incubator-hugegraph/commit/713d88d1fd9953c3c3e3f130389501910ba40e1d", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/incubator-hugegraph/commit/713d88d1fd9953c3c3e3f130389501910ba40e1d" }, { "reference_url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-27348", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-27348" }, { "reference_url": "https://www.vicarius.io/vsociety/posts/remote-code-execution-vulnerability-in-apache-hugegraph-server-cve-2024-27348", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.vicarius.io/vsociety/posts/remote-code-execution-vulnerability-in-apache-hugegraph-server-cve-2024-27348" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2024/04/22/3", "reference_id": "3", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H" }, { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Act", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2024-09-25T03:55:41Z/" } ], "url": "http://www.openwall.com/lists/oss-security/2024/04/22/3" }, { "reference_url": "https://hugegraph.apache.org/docs/config/config-authentication/#configure-user-authentication", "reference_id": "#configure-user-authentication", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Act", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2024-09-25T03:55:41Z/" } ], "url": "https://hugegraph.apache.org/docs/config/config-authentication/#configure-user-authentication" }, { "reference_url": "https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/java/webapps/52149.py", "reference_id": "CVE-2024-27348", "reference_type": "exploit", "scores": [], "url": "https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/java/webapps/52149.py" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27348", "reference_id": "CVE-2024-27348", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27348" }, { "reference_url": "https://github.com/advisories/GHSA-29rc-vq7f-x335", "reference_id": "GHSA-29rc-vq7f-x335", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-29rc-vq7f-x335" }, { "reference_url": "https://lists.apache.org/thread/nx6g6htyhpgtzsocybm242781o8w5kq9", "reference_id": "nx6g6htyhpgtzsocybm242781o8w5kq9", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Act", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2024-09-25T03:55:41Z/" } ], "url": "https://lists.apache.org/thread/nx6g6htyhpgtzsocybm242781o8w5kq9" } ], "weaknesses": [ { "cwe_id": 77, "name": "Improper Neutralization of Special Elements used in a Command ('Command Injection')", "description": "The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component." }, { "cwe_id": 284, "name": "Improper Access Control", "description": "The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor." }, { "cwe_id": 937, "name": "OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities", "description": "Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013." }, { "cwe_id": 1035, "name": "OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities", "description": "Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017." } ], "exploits": [ { "date_added": null, "description": "This module exploits CVE-2024-27348 which is a Remote Code Execution (RCE) vulnerability that exists in\n Apache HugeGraph Server in versions before 1.3.0. An attacker can bypass the sandbox restrictions and achieve\n RCE through Gremlin, resulting in complete control over the server", "required_action": null, "due_date": null, "notes": "Stability:\n - crash-safe\nSideEffects:\n - artifacts-on-disk\nReliability:\n - repeatable-session\n", "known_ransomware_campaign_use": false, "source_date_published": "2024-04-22", "exploit_type": null, "platform": "Linux,Unix", "source_date_updated": null, "data_source": "Metasploit", "source_url": "https://github.com/rapid7/metasploit-framework/tree/master/modules/exploits/linux/http/apache_hugegraph_gremlin_rce.rb" }, { "date_added": "2024-09-18", "description": "Apache HugeGraph-Server contains an improper access control vulnerability that could allow a remote attacker to execute arbitrary code.", "required_action": "Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.", "due_date": "2024-10-09", "notes": "This vulnerability affects a common open-source component, third-party library, or a protocol used by different products. Please check with specific vendors for information on patching status. For more information, please see: https://lists.apache.org/thread/nx6g6htyhpgtzsocybm242781o8w5kq9 ; https://nvd.nist.gov/vuln/detail/CVE-2024-27348", "known_ransomware_campaign_use": false, "source_date_published": null, "exploit_type": null, "platform": null, "source_date_updated": null, "data_source": "KEV", "source_url": null }, { "date_added": "2025-04-09", "description": "Apache HugeGraph Server 1.2.0 - Remote Code Execution (RCE)", "required_action": null, "due_date": null, "notes": null, "known_ransomware_campaign_use": false, "source_date_published": "2025-04-09", "exploit_type": "webapps", "platform": "java", "source_date_updated": "2025-04-13", "data_source": "Exploit-DB", "source_url": "" } ], "severity_range_score": "9.0 - 10.0", "exploitability": "2.0", "weighted_severity": "9.0", "risk_score": 10.0, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-m79u-j9m4-ufbt" }