Apache HugeGraph-Server Remote Command Execution Vulnerability

A remote command execution vulnerability has been identified in Apache HugeGraph-Server versions 1.0.0 prior to 1.3.0, when running on Java 8 or Java 11. This vulnerability allows attackers to execute arbitrary code by sending specially crafted requests through the Gremlin traversal language interface. The issue arises from improper access control that enables the execution of commands on the server's underlying system.

Impact

Exploitation of this vulnerability allows for unauthorized remote code execution on the server where HugeGraph is running.

Reproduction

The vulnerability can be reproduced by sending a Gremlin script that uses Java reflection to bypass security restrictions and execute commands via the ProcessBuilder class. This can be done using a curl command that targets the Gremlin API with a payload designed to exploit the vulnerability.

Remediation

Users are advised to upgrade to Apache HugeGraph version 1.3.0 or later, ensure that the application runs on Java 11, and enable the built-in authentication system to restrict access to the Gremlin server. Additionally, the 'Whitelist-IP/port' function can be activated to further limit access to authorized sources.