CVE-2022-31764

Feb. 6, 2025, 5:15 p.m.

8.5
High

Description

The Lite UI of Apache ShardingSphere ElasticJob-UI allows an attacker to perform RCE by constructing a special JDBC URL of H2 database. This issue affects Apache ShardingSphere ElasticJob-UI version 3.0.1 and prior versions. This vulnerability has been fixed in ElasticJob-UI 3.0.2. The premise of this attack is that the attacker has obtained the account and password. Otherwise, the attacker cannot perform this attack.

Product(s) Impacted

Product Versions
Apache ShardingSphere ElasticJob-UI
  • ['3.0.1', 'prior to 3.0.1']

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-913
Improper Control of Dynamically-Managed Code Resources
The product does not properly restrict reading from or writing to dynamically-managed code resources such as variables, objects, classes, attributes, functions, or executable instructions or statements.

References

https://lists.apache.org/thread/pg0k223m4hsnnzg4nh7lxvdxxgbkrlqb

Tags

security@apache.org
CWE-913
2025-02-06
CVE-2022-31764

CVSS Score

8.5 / 10

CVSS Data - 3.1

  • Attack Vector: NETWORK
  • Attack Complexity: HIGH
  • Privileges Required: LOW
  • Scope: CHANGED
  • Confidentiality Impact: HIGH
  • Integrity Impact: HIGH
  • Availability Impact: HIGH

    • CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

    View Vector String

Timeline

Published: Feb. 6, 2025, 3:15 p.m.
Last Modified: Feb. 6, 2025, 5:15 p.m.

Status : Awaiting Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

security@apache.org

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.