Apache Auth-Bypass Vulnerability Lets Attackers Gain Control Over HugeGraph-Server

The Apache Software Foundation has issued a security alert regarding a critical vulnerability in Apache HugeGraph-Server. The flaw, identified as CVE-2024-43441, could potentially allow authentication bypass due to an issue with assumed-immutable data in JWT tokens.

The vulnerability impacts versions 1.0 to 1.3 of Apache HugeGraph-Server, prior to the release of version 1.5.0. Users running these versions are highly encouraged to act immediately to secure their systems.

Description of the Vulnerability

The reported vulnerability, classified as important, stems from the improper handling of fixed JWT tokens (secrets), which could lead to an authentication bypass.

If exploited, this flaw could allow unauthorized access to systems, jeopardizing the security of sensitive data.

Apache has confirmed that the vulnerability has been addressed in Apache HugeGraph-Server version 1.5.0.

Users are strongly advised to update to this version as soon as possible to mitigate the risk.

Credit for discovering this vulnerability has been attributed to L0ne1y, who responsibly reported the issue to Apache.

Recommendations

• Upgrade Now: Users should upgrade their HugeGraph-Server installations to version 1.5.0 or later to ensure they are protected.
• Security Practices: Regularly update to the latest versions of software and monitor official channels for security advisories.

For more information on this vulnerability or assistance with upgrading, users can refer to the official Apache HugeGraph website or contact the Apache support team.

Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free