CVE-2017-11467: OrientDB vulnerable to Improper Privilage Management leading to arbitrary command injection
9.8
CVSS Score
3.0
Basic Information
CVE ID
GHSA ID
EPSS Score
0.98819%
CWE
Published
10/18/2018
Updated
2/20/2024
KEV Status
No
Technology
Java
Technical Details
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
com.orientechnologies:orientdb-core | maven | < 2.2.23 | 2.2.23 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from missing privilege checks during the processing of WHERE, FETCHPLAN, and ORDER BY clauses in SQL queries. These clauses are parsed and executed by OrientDB's query engine components. The identified functions are core to query execution and would logically enforce security constraints if properly implemented. Historical context from similar vulnerabilities (e.g., CWE-269) and OrientDB's architecture suggests these components would handle clause validation. While explicit patch details are unavailable, the functions' roles align with the described attack vector (crafted clauses bypassing privilege checks), warranting high confidence.