CVE-2024-55551
8.3
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
Summary
An issue was discovered in Exasol JDBC driver before 24.2.1 (2024-12-10). Attackers can inject malicious parameters into the JDBC URL, triggering JNDI injection during the process when the JDBC Driver uses this URL to connect to the database. This can further lead to remote code execution.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Exasol | JDBC driver | 0 < 24.2.1 | affected |
Weaknesses
- CWE-471: CWE-471 Modification of Assumed-Immutable Data (MAID)
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: yes
- Technical Impact: total
References
- https://www.blackhat.com/eu-24/briefings/schedule/index.html#a-novel-attack-surface-java-authentication-and-authorization-service-jaas-42179
- https://docs.exasol.com/db/latest/connect_exasol/drivers/jdbc.htm
- https://gist.github.com/azraelxuemo/9565ec9219e0c3e9afd5474904c39d0f
- https://docs.exasol.com/db/7.1/release_notes_drivers_jdbc/24.2.1.htm
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.