Apache UIMA DUCC: DUCC (EOL) allows RCE
CVE-2023-28935

8.8HIGH

Key Information:

Vendor: Apache
Status: Apache Uima Ducc
Vendor: CVE Published:; 30 March 2023

Summary

An improper neutralization of special elements used in a command vulnerability exists within the Apache UIMA's Distributed UIMA Cluster Computing (DUCC) module. An authenticated user with permissions to alter core entities could exploit this flaw to execute arbitrary commands as the system user that runs the web process. It's crucial to note that this module is retired, and Apache does not intend to provide any patches, making affected systems particularly vulnerable.

Affected Version(s)

Apache UIMA DUCC 0

References

https://lists.apache.org/thread/r19z14b9rrfxv72r93q5trq5t...

vendor-advisory

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Mar 30, 2023
Vulnerability Reserved
Mar 28, 2023

Credit

Crilwa