Skip to main content

Apache Gravitino EUVDEUVD-2025-210372

| CVE-2025-53648 MEDIUM
SQL Injection (CWE-89)
2026-06-30 apache GHSA-7ph3-grqh-pv9v
5.4
CVSS 3.1 · Vendor: apache
Share

Severity by source

Vendor (apache) PRIMARY
5.4 LOW
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
vuln.today AI
8.8 HIGH

Network-accessible UI with authenticated low-privilege user required; file read yields high confidentiality, file truncation yields high integrity and availability impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (apache).

CVSS VectorVendor: apache

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

3
CVSS changed
Jun 30, 2026 - 15:22 NVD
5.4 (MEDIUM)
Patch available
Jun 30, 2026 - 15:01 EUVD
Analysis Generated
Jun 30, 2026 - 14:30 vuln.today

DescriptionCVE.org

SQL misconfiguration in the Gravitino UI, in versions 1.0.0 and below, can allow a malicious user to read or truncate files. Users are recommended to upgrade to version 1.0.0, which fixes this issue.

AnalysisAI

SQL injection in the Apache Gravitino UI exposes server-side files to authenticated malicious users, enabling unauthorized file read and file truncation on the underlying host. Affected versions are listed as 1.0.0 and below, though the advisory contains an apparent inconsistency - the fix is attributed to version 1.0.0 itself, suggesting the actual patched release may be a later point version. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.

Technical ContextAI

Apache Gravitino is a relatively new Apache Software Foundation project providing a unified metadata lake and table format governance layer for data lakehouses. CWE-89 identifies the root cause as SQL injection - specifically described as a 'SQL misconfiguration' in the Gravitino UI, likely involving an embedded or backend SQL engine (such as H2, HSQLDB, or a similar in-process database commonly used in Java-based metadata platforms) where SQL file-operation functions (e.g., LOAD_FILE, TRUNCATE, CSVREAD, or RUNSCRIPT equivalents) are not properly restricted. Rather than a classic data exfiltration injection, the impact is file-system-level: the injected SQL leverages database-native file I/O capabilities to read arbitrary files or truncate them on the server. The CPE confirms the affected product as cpe:2.3:a:apache_software_foundation:apache_gravitino:*:*:*:*:*:*:*:*.

RemediationAI

The vendor advisory recommends upgrading Apache Gravitino to version 1.0.0 as the fix, though this conflicts with the affected-version range also citing 1.0.0 - consult https://lists.apache.org/thread/s0hytcv17z52dwp5dojjjwgrtqtyh2xk to confirm the exact patched version (likely a subsequent point release). Until upgrade is possible, restrict access to the Gravitino UI to trusted, least-privilege users only, and apply network-layer controls to prevent exposure of the UI to untrusted networks. If the underlying SQL engine supports disabling file I/O functions (e.g., setting H2's ALLOW_LITERALS or disabling RUNSCRIPT), apply those restrictions at the database configuration level. Audit which OS-level files are readable by the process account running Gravitino and minimize those permissions to reduce the blast radius of file-read exploitation.

Share

EUVD-2025-210372 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy