Apache Drill Vulnerability Allows Remote File Read/Write and Command Execution
CVE-2023-48362

8.8HIGH

Key Information:

Vendor: Apache
Status: Apache Drill
Vendor: CVE Published:; 24 July 2024

Summary

The vulnerability enables an attacker to leverage XML External Entity (XXE) processing in the XML Format Plugin of Apache Drill, starting from version 1.19.0. By crafting a malicious XML file, an attacker can gain unauthorized access to files on a remote file system and execute arbitrary commands. Users of affected versions are strongly advised to upgrade to version 1.21.2, which addresses this vulnerability.

Affected Version(s)

Apache Drill 1.19.0 < 1.21.2

References

https://lists.apache.org/thread/9tt0q4bdjwgw0dz0l9knqxjnp...

vendor-advisory

http://www.openwall.com/lists/oss-security/2024/07/24/3

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jul 24, 2024
Vulnerability Reserved
Nov 15, 2023

Credit

Yuzhe Huang