The US Cybersecurity and Infrastructure Security Agency (CISA) has flagged a critical remote code execution (RCE) flaw impacting Apache HugeGraph-Server, adding it to its Known Exploited Vulnerabilities (KEV) catalog.
The flaw, tracked as CVE-2024-27348, is rated as a critical security risk due to improper access control mechanisms. The remote code execution vulnerability affects Apache HugeGraph-Server versions from 1.0.0 up to, but not including, 1.3.0. The Apache Software Foundation addressed the issue on April 22, 2024, with the release of version 1.3.0. Users are strongly advised to upgrade to this latest version and take additional precautions.
Meanwhile, Ivanti has also issued a security alert regarding active exploitation of a path traversal vulnerability tracked as CVE-2024-8963. This flaw, present in unpatched CSA systems, allows remote, unauthenticated attackers to bypass administrative controls and access restricted functionalities.
Attackers are chaining CVE-2024-8963 with another vulnerability, CVE-2024-8190, a command injection bug, to gain elevated access. CVE-2024-8190 was patched last week. Through the chained exploits, attackers can bypass admin authentication entirely, allowing them to execute arbitrary commands on compromised systems.
The both bugs have also been added to CISA’s KEV catalog, along with Microsoft SQL Server Reporting Services RCE (CVE-2020-0618), Oracle JDeveloper (CVE-2022-21445), and Oracle WebLogic Server (CVE-2020-14644) RCEs.