Vulnerability Instance

HTTP 200 OK
Allow: GET, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept

{
    "url": "http://public2.vulnerablecode.io/api/vulnerabilities/38605?format=api",
    "vulnerability_id": "VCID-ec6u-k3jr-wud6",
    "summary": "Databricks JDBC Driver 2.x before 2.6.40 could potentially allow remote code execution (RCE) by triggering a JNDI injection via a JDBC URL parameter. The vulnerability is rooted in the improper handling of the krbJAASFile parameter. An attacker could potentially exploit this vulnerability to achieve Remote Code Execution in the context of the driver by tricking a victim into using a crafted connection URL that uses the property krbJAASFile.",
    "aliases": [
        {
            "alias": "CVE-2024-49194"
        },
        {
            "alias": "GHSA-jxw2-jvxf-5vrp"
        }
    ],
    "fixed_packages": [
        {
            "url": "http://public2.vulnerablecode.io/api/packages/372488?format=api",
            "purl": "pkg:maven/com.databricks/databricks-jdbc@2.6.40",
            "is_vulnerable": false,
            "affected_by_vulnerabilities": [],
            "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.databricks/databricks-jdbc@2.6.40"
        }
    ],
    "affected_packages": [
        {
            "url": "http://public2.vulnerablecode.io/api/packages/1153548?format=api",
            "purl": "pkg:maven/com.databricks/databricks-jdbc@2.0",
            "is_vulnerable": true,
            "affected_by_vulnerabilities": [
                {
                    "vulnerability": "VCID-ec6u-k3jr-wud6"
                }
            ],
            "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.databricks/databricks-jdbc@2.0"
        },
        {
            "url": "http://public2.vulnerablecode.io/api/packages/769241?format=api",
            "purl": "pkg:maven/com.databricks/databricks-jdbc@2.6.25-alpha-1",
            "is_vulnerable": true,
            "affected_by_vulnerabilities": [
                {
                    "vulnerability": "VCID-ec6u-k3jr-wud6"
                }
            ],
            "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.databricks/databricks-jdbc@2.6.25-alpha-1"
        },
        {
            "url": "http://public2.vulnerablecode.io/api/packages/769242?format=api",
            "purl": "pkg:maven/com.databricks/databricks-jdbc@2.6.25-alpha-2",
            "is_vulnerable": true,
            "affected_by_vulnerabilities": [
                {
                    "vulnerability": "VCID-ec6u-k3jr-wud6"
                }
            ],
            "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.databricks/databricks-jdbc@2.6.25-alpha-2"
        },
        {
            "url": "http://public2.vulnerablecode.io/api/packages/769243?format=api",
            "purl": "pkg:maven/com.databricks/databricks-jdbc@2.6.25-beta-1",
            "is_vulnerable": true,
            "affected_by_vulnerabilities": [
                {
                    "vulnerability": "VCID-ec6u-k3jr-wud6"
                }
            ],
            "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.databricks/databricks-jdbc@2.6.25-beta-1"
        },
        {
            "url": "http://public2.vulnerablecode.io/api/packages/769244?format=api",
            "purl": "pkg:maven/com.databricks/databricks-jdbc@2.6.25-beta-2",
            "is_vulnerable": true,
            "affected_by_vulnerabilities": [
                {
                    "vulnerability": "VCID-ec6u-k3jr-wud6"
                }
            ],
            "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.databricks/databricks-jdbc@2.6.25-beta-2"
        },
        {
            "url": "http://public2.vulnerablecode.io/api/packages/769245?format=api",
            "purl": "pkg:maven/com.databricks/databricks-jdbc@2.6.25-beta-3",
            "is_vulnerable": true,
            "affected_by_vulnerabilities": [
                {
                    "vulnerability": "VCID-ec6u-k3jr-wud6"
                }
            ],
            "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.databricks/databricks-jdbc@2.6.25-beta-3"
        },
        {
            "url": "http://public2.vulnerablecode.io/api/packages/769246?format=api",
            "purl": "pkg:maven/com.databricks/databricks-jdbc@2.6.25-beta-4",
            "is_vulnerable": true,
            "affected_by_vulnerabilities": [
                {
                    "vulnerability": "VCID-ec6u-k3jr-wud6"
                }
            ],
            "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.databricks/databricks-jdbc@2.6.25-beta-4"
        },
        {
            "url": "http://public2.vulnerablecode.io/api/packages/769247?format=api",
            "purl": "pkg:maven/com.databricks/databricks-jdbc@2.6.25",
            "is_vulnerable": true,
            "affected_by_vulnerabilities": [
                {
                    "vulnerability": "VCID-ec6u-k3jr-wud6"
                }
            ],
            "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.databricks/databricks-jdbc@2.6.25"
        },
        {
            "url": "http://public2.vulnerablecode.io/api/packages/769248?format=api",
            "purl": "pkg:maven/com.databricks/databricks-jdbc@2.6.25-1",
            "is_vulnerable": true,
            "affected_by_vulnerabilities": [
                {
                    "vulnerability": "VCID-ec6u-k3jr-wud6"
                }
            ],
            "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.databricks/databricks-jdbc@2.6.25-1"
        },
        {
            "url": "http://public2.vulnerablecode.io/api/packages/769249?format=api",
            "purl": "pkg:maven/com.databricks/databricks-jdbc@2.6.27-beta-1",
            "is_vulnerable": true,
            "affected_by_vulnerabilities": [
                {
                    "vulnerability": "VCID-ec6u-k3jr-wud6"
                }
            ],
            "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.databricks/databricks-jdbc@2.6.27-beta-1"
        },
        {
            "url": "http://public2.vulnerablecode.io/api/packages/769250?format=api",
            "purl": "pkg:maven/com.databricks/databricks-jdbc@2.6.27",
            "is_vulnerable": true,
            "affected_by_vulnerabilities": [
                {
                    "vulnerability": "VCID-ec6u-k3jr-wud6"
                }
            ],
            "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.databricks/databricks-jdbc@2.6.27"
        },
        {
            "url": "http://public2.vulnerablecode.io/api/packages/769251?format=api",
            "purl": "pkg:maven/com.databricks/databricks-jdbc@2.6.29-beta-1",
            "is_vulnerable": true,
            "affected_by_vulnerabilities": [
                {
                    "vulnerability": "VCID-ec6u-k3jr-wud6"
                }
            ],
            "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.databricks/databricks-jdbc@2.6.29-beta-1"
        },
        {
            "url": "http://public2.vulnerablecode.io/api/packages/769252?format=api",
            "purl": "pkg:maven/com.databricks/databricks-jdbc@2.6.29",
            "is_vulnerable": true,
            "affected_by_vulnerabilities": [
                {
                    "vulnerability": "VCID-ec6u-k3jr-wud6"
                }
            ],
            "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.databricks/databricks-jdbc@2.6.29"
        },
        {
            "url": "http://public2.vulnerablecode.io/api/packages/769253?format=api",
            "purl": "pkg:maven/com.databricks/databricks-jdbc@2.6.32",
            "is_vulnerable": true,
            "affected_by_vulnerabilities": [
                {
                    "vulnerability": "VCID-ec6u-k3jr-wud6"
                }
            ],
            "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.databricks/databricks-jdbc@2.6.32"
        },
        {
            "url": "http://public2.vulnerablecode.io/api/packages/769254?format=api",
            "purl": "pkg:maven/com.databricks/databricks-jdbc@2.6.33",
            "is_vulnerable": true,
            "affected_by_vulnerabilities": [
                {
                    "vulnerability": "VCID-ec6u-k3jr-wud6"
                }
            ],
            "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.databricks/databricks-jdbc@2.6.33"
        },
        {
            "url": "http://public2.vulnerablecode.io/api/packages/769255?format=api",
            "purl": "pkg:maven/com.databricks/databricks-jdbc@2.6.34",
            "is_vulnerable": true,
            "affected_by_vulnerabilities": [
                {
                    "vulnerability": "VCID-ec6u-k3jr-wud6"
                }
            ],
            "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.databricks/databricks-jdbc@2.6.34"
        },
        {
            "url": "http://public2.vulnerablecode.io/api/packages/769256?format=api",
            "purl": "pkg:maven/com.databricks/databricks-jdbc@2.6.36",
            "is_vulnerable": true,
            "affected_by_vulnerabilities": [
                {
                    "vulnerability": "VCID-ec6u-k3jr-wud6"
                }
            ],
            "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.databricks/databricks-jdbc@2.6.36"
        },
        {
            "url": "http://public2.vulnerablecode.io/api/packages/769257?format=api",
            "purl": "pkg:maven/com.databricks/databricks-jdbc@2.6.38",
            "is_vulnerable": true,
            "affected_by_vulnerabilities": [
                {
                    "vulnerability": "VCID-ec6u-k3jr-wud6"
                }
            ],
            "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.databricks/databricks-jdbc@2.6.38"
        }
    ],
    "references": [
        {
            "reference_url": "http://kb.databricks.com/en_US/data-sources/security-bulletin-databricks-jdbc-driver-vulnerability-advisory-cve-2024-49194",
            "reference_id": "",
            "reference_type": "",
            "scores": [
                {
                    "value": "7.3",
                    "scoring_system": "cvssv3.1",
                    "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N"
                },
                {
                    "value": "HIGH",
                    "scoring_system": "generic_textual",
                    "scoring_elements": ""
                }
            ],
            "url": "http://kb.databricks.com/en_US/data-sources/security-bulletin-databricks-jdbc-driver-vulnerability-advisory-cve-2024-49194"
        },
        {
            "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-49194",
            "reference_id": "",
            "reference_type": "",
            "scores": [
                {
                    "value": "0.01746",
                    "scoring_system": "epss",
                    "scoring_elements": "0.83012",
                    "published_at": "2026-06-12T12:55:00Z"
                },
                {
                    "value": "0.01746",
                    "scoring_system": "epss",
                    "scoring_elements": "0.8295",
                    "published_at": "2026-06-11T12:55:00Z"
                }
            ],
            "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-49194"
        },
        {
            "reference_url": "https://github.com/databricks/databricks-jdbc",
            "reference_id": "",
            "reference_type": "",
            "scores": [
                {
                    "value": "7.3",
                    "scoring_system": "cvssv3.1",
                    "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N"
                },
                {
                    "value": "HIGH",
                    "scoring_system": "generic_textual",
                    "scoring_elements": ""
                }
            ],
            "url": "https://github.com/databricks/databricks-jdbc"
        },
        {
            "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-49194",
            "reference_id": "",
            "reference_type": "",
            "scores": [
                {
                    "value": "7.3",
                    "scoring_system": "cvssv3.1",
                    "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N"
                },
                {
                    "value": "HIGH",
                    "scoring_system": "generic_textual",
                    "scoring_elements": ""
                }
            ],
            "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-49194"
        },
        {
            "reference_url": "https://github.com/advisories/GHSA-jxw2-jvxf-5vrp",
            "reference_id": "GHSA-jxw2-jvxf-5vrp",
            "reference_type": "",
            "scores": [],
            "url": "https://github.com/advisories/GHSA-jxw2-jvxf-5vrp"
        },
        {
            "reference_url": "https://kb.databricks.com/en_US/data-sources/security-bulletin-databricks-jdbc-driver-vulnerability-advisory-cve-2024-49194",
            "reference_id": "security-bulletin-databricks-jdbc-driver-vulnerability-advisory-cve-2024-49194",
            "reference_type": "",
            "scores": [
                {
                    "value": "7.3",
                    "scoring_system": "cvssv3.1",
                    "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N"
                },
                {
                    "value": "Track",
                    "scoring_system": "ssvc",
                    "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-12-18T16:14:52Z/"
                }
            ],
            "url": "https://kb.databricks.com/en_US/data-sources/security-bulletin-databricks-jdbc-driver-vulnerability-advisory-cve-2024-49194"
        }
    ],
    "weaknesses": [
        {
            "cwe_id": 77,
            "name": "Improper Neutralization of Special Elements used in a Command ('Command Injection')",
            "description": "The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component."
        },
        {
            "cwe_id": 937,
            "name": "OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities",
            "description": "Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013."
        },
        {
            "cwe_id": 1035,
            "name": "OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities",
            "description": "Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017."
        }
    ],
    "exploits": [],
    "severity_range_score": "7.0 - 8.9",
    "exploitability": "0.5",
    "weighted_severity": "8.0",
    "risk_score": 4.0,
    "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ec6u-k3jr-wud6"
}