Plattform
java
Komponente
org.apache.hop:hop
Behoben in
2.8.0
2.8.0
CVE-2024-24683 describes an Improper Input Validation vulnerability within the Apache Hop Engine. This flaw stems from insufficient escaping of an 'id' parameter within the PrepareExecutionPipelineServlet, potentially allowing for exploitation. The vulnerability impacts versions of Apache Hop Engine prior to 2.8.0, and a fix is available in version 2.8.0.
The vulnerability lies in how the Hop Server component constructs links to the PrepareExecutionPipelineServlet. Specifically, the 'id' parameter, which identifies a pipeline, is not properly escaped before being included in the URL. While users typically don't directly create pipelines, an attacker could potentially craft a malicious URL that, when accessed, could lead to unintended consequences. Although the description indicates a low risk due to the indirect accessibility of the 'id' parameter, successful exploitation could lead to unauthorized access or modification of pipeline configurations within the Hop Server environment. The blast radius is limited to the Hop Server component itself, and does not directly affect the client.
This CVE was publicly disclosed on March 19, 2024. The vulnerability's impact is considered low due to the indirect accessibility of the affected parameter. There is no indication of this vulnerability being added to the CISA KEV catalog or being actively exploited at this time. No public proof-of-concept exploits have been identified.
Organizations utilizing Apache Hop Engine for data integration and transformation workflows, particularly those running versions prior to 2.8.0, are at risk. Environments where the Hop Server component is exposed to external networks or untrusted users are especially vulnerable.
• linux / server: Monitor Hop Server logs for unusual activity related to the PrepareExecutionPipelineServlet. Use journalctl -u hop-server to filter for errors or suspicious requests containing the 'id' parameter.
• generic web: Use curl to test the PrepareExecutionPipelineServlet URL with various 'id' parameters containing special characters. Examine the response for any signs of unexpected behavior or error messages.
curl 'http://<hop-server>/hop-server/PrepareExecutionPipelineServlet?id=<malicious_id>' -vdisclosure
Exploit-Status
EPSS
0.45% (64% Perzentil)
CVSS-Vektor
The primary mitigation for CVE-2024-24683 is to upgrade to Apache Hop Engine version 2.8.0, which includes the necessary fix for the improper input validation. If an immediate upgrade is not feasible, consider implementing a Web Application Firewall (WAF) rule to filter requests containing suspicious characters in the 'id' parameter of the PrepareExecutionPipelineServlet URL. Additionally, carefully review and restrict access to the Hop Server component to limit the potential attack surface. After upgrade, confirm the fix by attempting to access a pipeline URL with a specially crafted 'id' parameter containing potentially malicious characters; the URL should be properly escaped and not lead to any unexpected behavior.
Actualice Apache Hop Engine a la versión 2.8.0 o superior. Esta versión corrige la vulnerabilidad de validación de entrada que permite la inyección de código HTML. La actualización mitigará el riesgo de explotación a través del parámetro 'id' en la página PrepareExecutionPipelineServlet.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-24683 is a MEDIUM severity vulnerability in Apache Hop Engine versions before 2.8.0, where an unescaped 'id' parameter in the PrepareExecutionPipelineServlet could be exploited.
You are affected if you are using Apache Hop Engine versions 2.7.0 or earlier. Upgrade to version 2.8.0 to resolve the vulnerability.
Upgrade to Apache Hop Engine version 2.8.0. As a temporary workaround, implement a WAF rule to filter suspicious characters in the 'id' parameter.
There is currently no evidence of CVE-2024-24683 being actively exploited, but it's recommended to apply the fix promptly.
Refer to the Apache Hop project website and security announcements for the official advisory: https://hop.apache.org/security/
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine pom.xml-Datei hoch und wir sagen dir sofort, ob du betroffen bist.