CVE-2024-43441: Authentication Bypass Vulnerability Found in Apache HugeGraph-Server
The Apache Software Foundation has disclosed a critical vulnerability, CVE-2024-43441, affecting Apache HugeGraph-Server, a widely used open-source graph database system. Rated as “important,” this vulnerability could allow attackers to bypass authentication mechanisms by exploiting assumed-immutable data, potentially leading to unauthorized access to sensitive graph data and operations.
HugeGraph, known for its ease of use, efficiency, and compatibility with the Apache TinkerPop3 framework and Gremlin query language, is a popular choice for building applications and products based on graph databases. It boasts features like fast data import (supporting tens of billions of vertices and edges), millisecond-level relational query capabilities (OLTP), and support for large-scale distributed graph computing (OLAP). The project is hosted on GitHub.
CVE-2024-43441 exposes affected HugeGraph-Server versions to authentication bypass by exploiting flaws in how JWT tokens (JSON Web Tokens) are handled. Specifically, the server assumes certain JWT data is immutable, allowing attackers to manipulate authentication processes undetected.
The Apache HugeGraph team has released version 1.5.0, which effectively patches this vulnerability. All users of Apache HugeGraph-Server versions 1.0 through 1.3 are strongly urged to upgrade to 1.5.0 immediately.
Apache HugeGraph-Server has become an attractive target for cybercriminals due to its growing adoption and role in managing large-scale data. This latest vulnerability follows another critical flaw, CVE-2024-27348, disclosed in April and subsequently added to the Known Exploited Vulnerabilities (KEV) catalog by the U.S. Cybersecurity and Infrastructure Agency (CISA). That flaw, an improper access control vulnerability rated at a CVSS score of 9.8, allowed remote code execution (RCE) on unpatched HugeGraph-Server versions.
