9.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-27348

GHSA ID

GHSA-29rc-vq7f-x335

EPSS Score

0.99888%

CWE

CWE-77

Published

4/22/2024

Updated

2/13/2025

KEV Status

Yes

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-27348

CVE-2024-27348: Apache HugeGraph-Server: Command execution in gremlin

RCE-Remote Command Execution vulnerability in Apache HugeGraph-Server.This issue affects Apache HugeGraph-Server: from 1.0.0 before 1.3.0 in Java8 & Java11

Users are recommended to upgrade to version 1.3.0 with Java11 & enable the Auth system, which fixes the issue.

(GitHub Advisory)

9.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-27348

GHSA ID

GHSA-29rc-vq7f-x335

EPSS Score

0.99888%

CWE

CWE-77

Published

4/22/2024

Updated

2/13/2025

KEV Status

Yes

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.apache.hugegraph:hugegraph-api	maven	>= 1.0.0, < 1.3.0	1.3.0
org.apache.hugegraph:hugegraph-core	maven	>= 1.0.0, < 1.3.0	1.3.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability combines CWE-77 (command injection) and CWE-284 (access control). The commit diff shows critical security enhancements: 1) HugeSecurityManager's checkExec() was strengthened to block command execution in Gremlin context 2) HugeFactoryAuthProxy added filterCriticalSystemClasses() to restrict dangerous reflection methods. The vulnerable versions lacked these protections, allowing attackers to bypass security checks and execute commands via Gremlin API. The functions handling command execution security checks and reflection access control were the primary vectors.

Vulnerable functions

org.apache.hugegraph.security.HugeSecurityManager.checkExec

hugegraph-server/hugegraph-core/src/main/java/org/apache/hugegraph/security/HugeSecurityManager.java

The checkExec method did not properly prevent command execution via Gremlin API calls. Prior to the patch, it allowed execution of system commands when invoked through Gremlin queries due to insufficient security checks.

org.apache.hugegraph.auth.HugeFactoryAuthProxy.registerPrivateActions

hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/auth/HugeFactoryAuthProxy.java

This function lacked proper filtering of critical system classes/methods (like Runtime.exec, ProcessBuilder.start) prior to the patch. The absence of filterCriticalSystemClasses() registration allowed command injection via reflection.

WAF Protection Rules

WAF Rule

R**-R*mot* *omm*n* *x**ution vuln*r**ility in *p**** *u***r*p*-S*rv*r.T*is issu* *****ts *p**** *u***r*p*-S*rv*r: *rom *.*.* ***or* *.*.* in J*v** & J*v*** Us*rs *r* r**omm*n*** to up*r*** to v*rsion *.*.* wit* J*v*** & *n**l* t** *ut* syst*m, w*i**

Reasoning

T** vuln*r**ility *om*in*s *W*-** (*omm*n* inj**tion) *n* *W*-*** (****ss *ontrol). T** *ommit *i** s*ows *riti**l s**urity *n**n**m*nts: *) `*u**S**urityM*n***r`'s `****k*x**()` w*s str*n*t**n** to *lo*k *omm*n* *x**ution in *r*mlin *ont*xt *) `*u**

9.8

Basic Information

Concerned about an active attack path?

CVE-2024-27348: Apache HugeGraph-Server: Command execution in gremlin

9.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI