Apache Gravitino
Monthly
Remote code execution in Apache Gravitino before 1.2.1 allows unauthenticated callers to abuse the testConnection API by submitting a crafted H2 JDBC URL whose INIT parameter runs arbitrary Java on the server. The flaw only manifests when Gravitino is backed by the H2 database - a configuration primarily used for testing and local development - and CISA SSVC rates technical impact as total and exploitation as automatable, though no public exploit has surfaced. Fixed in 1.2.1; because Gravitino is usually deployed on internal networks and H2 is not the production default, the vendor characterizes real-world severity as low despite the 9.1 CVSS score.
SQL injection in the Apache Gravitino UI exposes server-side files to authenticated malicious users, enabling unauthorized file read and file truncation on the underlying host. Affected versions are listed as 1.0.0 and below, though the advisory contains an apparent inconsistency - the fix is attributed to version 1.0.0 itself, suggesting the actual patched release may be a later point version. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.
Remote code execution in Apache Gravitino before 1.2.1 allows unauthenticated callers to abuse the testConnection API by submitting a crafted H2 JDBC URL whose INIT parameter runs arbitrary Java on the server. The flaw only manifests when Gravitino is backed by the H2 database - a configuration primarily used for testing and local development - and CISA SSVC rates technical impact as total and exploitation as automatable, though no public exploit has surfaced. Fixed in 1.2.1; because Gravitino is usually deployed on internal networks and H2 is not the production default, the vendor characterizes real-world severity as low despite the 9.1 CVSS score.
SQL injection in the Apache Gravitino UI exposes server-side files to authenticated malicious users, enabling unauthorized file read and file truncation on the underlying host. Affected versions are listed as 1.0.0 and below, though the advisory contains an apparent inconsistency - the fix is attributed to version 1.0.0 itself, suggesting the actual patched release may be a later point version. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.