Lucene search

ApacheCVE-2024-26307

HistoryMar 21, 2024 - 10:15 a.m.

CVE-2024-26307

2024-03-2110:15:07

CWE-362

apache

web.nvd.nist.gov

apache doris

cve-2024-26307

race condition

vulnerability

upgrade

2.0.4

CVSS3

5.3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

AI Score

6.9

Confidence

Low

EPSS

Percentile

9.0%

JSON

Possible race condition vulnerability in Apache Doris.
Some of code using chmod() method. This method run the risk of someone renaming the file out from under user and chmodding the wrong file.
This could theoretically happen, but the impact would be minimal.
This issue affects Apache Doris: before 1.2.8, before 2.0.4.

Users are recommended to upgrade to version 2.0.4, which fixes the issue.

Affected configurations

Vulners

Vulnrichment

Node

apachedorisRange≤1.2.8

apachedorisRange≤2.0.4

VendorProductVersionCPE
apachedoris*cpe:2.3:a:apache:doris:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
apache	doris	*	cpe:2.3:a:apache:doris::::::::

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "Apache Doris",
    "vendor": "Apache Software Foundation",
    "versions": [
      {
        "lessThan": "1.2.8",
        "status": "affected",
        "version": "0",
        "versionType": "semver"
      },
      {
        "lessThan": "2.0.4",
        "status": "affected",
        "version": "0",
        "versionType": "semver"
      }
    ]
  }
]

References

www.openwall.com/lists/oss-security/2024/03/21/2

lists.apache.org/thread/5shhw8x8m271hd2wfwzqzwgf36pmc4pl