CVE-2024-55551

Опубликовано: 19 мар. 2025

Источник: nvd

CVSS3: 8.3

CVSS3: 7.5

EPSS Низкий

Описание

An issue was discovered in Exasol JDBC driver before 24.2.1 (2024-12-10). Attackers can inject malicious parameters into the JDBC URL, triggering JNDI injection during the process when the JDBC Driver uses this URL to connect to the database. This can further lead to remote code execution.

Ссылки

https://docs.exasol.com/db/7.1/release_notes_drivers_jdbc/24.2.1.htm
Release Notes
https://docs.exasol.com/db/latest/connect_exasol/drivers/jdbc.htm
Product
https://gist.github.com/azraelxuemo/9565ec9219e0c3e9afd5474904c39d0f
Third Party Advisory
https://www.blackhat.com/eu-24/briefings/schedule/index.html#a-novel-attack-surface-java-authentication-and-authorization-service-jaas-42179
Technical Description

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:exasol:jdbc_driver:*:*:*:*:*:*:*:*

Версия до 24.2.1 (исключая)

EPSS

Процентиль: 66%

0.00508

Низкий

8.3 High

CVSS3

7.5 High

CVSS3

Дефекты

CWE-471

Связанные уязвимости

GHSA-j7qq-8hrp-f3j8

CVSS3: 9

github

11 месяцев назад

An issue was discovered in Exasol jdbc driver 24.2.0. Attackers can inject malicious parameters into the JDBC URL, triggering JNDI injection during the process when the JDBC Driver uses this URL to connect to the database. This can further lead to remote code execution vulnerability.

EPSS

Процентиль: 66%

0.00508

Низкий

8.3 High

CVSS3

7.5 High

CVSS3

Дефекты

CWE-471