Plataforma
java
Componente
org.apache.hop:hop
Corrigido em
2.8.0
2.8.0
CVE-2024-24683 describes an Improper Input Validation vulnerability within the Apache Hop Engine. This flaw stems from insufficient escaping of an 'id' parameter within the PrepareExecutionPipelineServlet, potentially allowing for exploitation. The vulnerability impacts versions of Apache Hop Engine prior to 2.8.0, and a fix is available in version 2.8.0.
The vulnerability lies in how the Hop Server component constructs links to the PrepareExecutionPipelineServlet. Specifically, the 'id' parameter, which identifies a pipeline, is not properly escaped before being included in the URL. While users typically don't directly create pipelines, an attacker could potentially craft a malicious URL that, when accessed, could lead to unintended consequences. Although the description indicates a low risk due to the indirect accessibility of the 'id' parameter, successful exploitation could lead to unauthorized access or modification of pipeline configurations within the Hop Server environment. The blast radius is limited to the Hop Server component itself, and does not directly affect the client.
This CVE was publicly disclosed on March 19, 2024. The vulnerability's impact is considered low due to the indirect accessibility of the affected parameter. There is no indication of this vulnerability being added to the CISA KEV catalog or being actively exploited at this time. No public proof-of-concept exploits have been identified.
Organizations utilizing Apache Hop Engine for data integration and transformation workflows, particularly those running versions prior to 2.8.0, are at risk. Environments where the Hop Server component is exposed to external networks or untrusted users are especially vulnerable.
• linux / server: Monitor Hop Server logs for unusual activity related to the PrepareExecutionPipelineServlet. Use journalctl -u hop-server to filter for errors or suspicious requests containing the 'id' parameter.
• generic web: Use curl to test the PrepareExecutionPipelineServlet URL with various 'id' parameters containing special characters. Examine the response for any signs of unexpected behavior or error messages.
curl 'http://<hop-server>/hop-server/PrepareExecutionPipelineServlet?id=<malicious_id>' -vdisclosure
Status do Exploit
EPSS
0.45% (percentil 64%)
Vetor CVSS
The primary mitigation for CVE-2024-24683 is to upgrade to Apache Hop Engine version 2.8.0, which includes the necessary fix for the improper input validation. If an immediate upgrade is not feasible, consider implementing a Web Application Firewall (WAF) rule to filter requests containing suspicious characters in the 'id' parameter of the PrepareExecutionPipelineServlet URL. Additionally, carefully review and restrict access to the Hop Server component to limit the potential attack surface. After upgrade, confirm the fix by attempting to access a pipeline URL with a specially crafted 'id' parameter containing potentially malicious characters; the URL should be properly escaped and not lead to any unexpected behavior.
Atualize o Apache Hop Engine para a versão 2.8.0 ou superior. Esta versão corrige a vulnerabilidade de validação de entrada que permite a injeção de código HTML. A atualização mitigará o risco de exploração através do parâmetro 'id' na página PrepareExecutionPipelineServlet.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2024-24683 is a MEDIUM severity vulnerability in Apache Hop Engine versions before 2.8.0, where an unescaped 'id' parameter in the PrepareExecutionPipelineServlet could be exploited.
You are affected if you are using Apache Hop Engine versions 2.7.0 or earlier. Upgrade to version 2.8.0 to resolve the vulnerability.
Upgrade to Apache Hop Engine version 2.8.0. As a temporary workaround, implement a WAF rule to filter suspicious characters in the 'id' parameter.
There is currently no evidence of CVE-2024-24683 being actively exploited, but it's recommended to apply the fix promptly.
Refer to the Apache Hop project website and security announcements for the official advisory: https://hop.apache.org/security/
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.
Envie seu arquivo pom.xml e descubra na hora se você está afetado.