-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| org.apache.hugegraph:hugegraph-api | maven | >= 1.0.0, < 1.3.0 | 1.3.0 |
| org.apache.hugegraph:hugegraph-core | maven | >= 1.0.0, < 1.3.0 | 1.3.0 |
Miggo AIRoot Cause AnalysisThe vulnerability combines CWE-77 (command injection) and CWE-284 (access control). The commit diff shows critical security enhancements: 1) HugeSecurityManager's checkExec() was strengthened to block command execution in Gremlin context 2) HugeFactoryAuthProxy added filterCriticalSystemClasses() to restrict dangerous reflection methods. The vulnerable versions lacked these protections, allowing attackers to bypass security checks and execute commands via Gremlin API. The functions handling command execution security checks and reflection access control were the primary vectors.
org.apache.hugegraph.security.HugeSecurityManager.checkExechugegraph-server/hugegraph-core/src/main/java/org/apache/hugegraph/security/HugeSecurityManager.java
org.apache.hugegraph.auth.HugeFactoryAuthProxy.registerPrivateActionshugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/auth/HugeFactoryAuthProxy.java
JavaJava