'[oss-security] CVE-2023-28935: Apache UIMA DUCC: DUCC (EOL) allows RCE'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] CVE-2023-28935: Apache UIMA DUCC: DUCC (EOL) allows RCE
From:       Arnout Engelen <engelen () apache ! org>
Date:       2023-03-30 9:08:32
Message-ID: fde5850e-ac32-0e92-0df6-55f9f2175ca2 () apache ! org
[Download RAW message or body]

Severity: moderate

Description:

** UNSUPPORTED WHEN ASSIGNED ** Improper Neutralization of Special Elements used in a Command \
('Command Injection') vulnerability in Apache Software Foundation Apache UIMA DUCC.


When using the "Distributed UIMA Cluster Computing" (DUCC) module of Apache UIMA, an \
authenticated user that has the permissions to modify core entities can cause command execution \
as the system user that runs the web process.


As the "Distributed UIMA Cluster Computing" module for UIMA is retired, we do not plan to \
                release a fix for this issue.
NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

Credit:

Crilwa (finder)

References:

https://uima.apache.org/
https://www.cve.org/CVERecord?id=CVE-2023-28935


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic