| Published | 25 June 2024 |
| Version | 1.0.0 |
| Severity | Medium |
| CVSS Score | CVSS 6.3 (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L) |
| CVE | https://nvd.nist.gov/vuln/detail/CVE-2024-37382 |
Remote code execution (RCE) vulnerability in Ab Initio Metadata Hub and Authorization Gateway.
A user with administrator privileges for Metadata Hub or Authorization Gateway can cause arbitrary code to be executed on a Metadata Hub or Authorization Gateway import host by adjusting the Metadata Hub or Authorization Gateway server configuration in a specific manner.
The arbitrary code can be executed as the OS user for the importer process. Consequently, the code can access any import host resources that are available to the importer user account.
If you are using an affected version of Metadata Hub or Authorization Gateway, we recommend that you upgrade to Version 4.1.4.9, 4.1.5.11, 4.1.6.12, 4.2.1.7, 4.2.2.9, 4.2.3.5, or 4.3.1.1 (or a later version).
If you cannot upgrade at this time, you can mitigate the vulnerability in the short term by updating your Metadata Hub and Authorization Gateway server configurations. For information about the recommended configuration, please contact Ab Initio Support (support@abinitio.com).
Ab Initio thanks Michele Mariani and Davide Turaccio of InTheCyber Group for responsibly reporting the identified issue and working with us as we addressed it.