CVE-2023-28935

2023-03-3010:15:07

CWE-77

[email protected]

web.nvd.nist.gov

cve-2023-28935

command injection

apache uima

ducc

security vulnerability

unsupported software

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

8.7 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

43.6%

JSON

UNSUPPORTED WHEN ASSIGNED Improper Neutralization of Special Elements used in a Command (‘Command Injection’) vulnerability in Apache Software Foundation Apache UIMA DUCC.

When using the “Distributed UIMA Cluster Computing” (DUCC) module of Apache UIMA, an authenticated user that has the permissions to modify core entities can cause command execution as the system user that runs the web process.

As the “Distributed UIMA Cluster Computing” module for UIMA is retired, we do not plan to release a fix for this issue.
NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

Affected configurations

NVD

Node

apacheunstructured_information_management_architectureMatch-

CPENameOperatorVersion
apache:unstructured_information_management_architectureapache unstructured information management architectureeq-

CPE	Name	Operator	Version
apache:unstructured_information_management_architecture	apache unstructured information management architecture	eq	-

CNA Affected

[
  {
    "defaultStatus": "affected",
    "product": "Apache UIMA DUCC",
    "vendor": "Apache Software Foundation",
    "versions": [
      {
        "lessThanOrEqual": "*",
        "status": "affected",
        "version": "0",
        "versionType": "semver"
      }
    ]
  }
]