Apache HugeGraph Gremlin command injection

Added: 08/20/2024

Background

Apache HugeGraph is a graph database. HugeGraph supports Gremlin, a graph traversal language.

Problem

A vulnerability in Apache HugeGraph allows remote attackers to bypass sandbox restrictions and execute arbitrary commands through Gremlin.

Resolution

Upgrade to HugeGraph 1.3.0 or higher with Java 11 and enable the Auth system.

References

https://lists.apache.org/thread/nx6g6htyhpgtzsocybm242781o8w5kq9

Platforms

Linux

Back to exploit index