WARNING: This site only works in a modern, evergreen browser with javascript enabled. IE11 is not supported.
AB-2024-003

Security Advisory
AB-2024-003

Published 25 June 2024
Version 1.0.0
Severity Medium
CVSS Score CVSS 6.3 (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L)
CVE https://nvd.nist.gov/vuln/detail/CVE-2024-37382

 

Affected Products

Metadata Hub, Authorization Gateway
Versions 4.3.1.0, 4.2.3.4, 4.2.2.8, 4.2.1.6, 4.1.6.11, 4.1.5.10, 4.1.4.8 and earlier

Overview

Remote code execution (RCE) vulnerability in Ab Initio Metadata Hub and Authorization Gateway.

Description

A user with administrator privileges for Metadata Hub or Authorization Gateway can cause arbitrary code to be executed on a Metadata Hub or Authorization Gateway import host by adjusting the Metadata Hub or Authorization Gateway server configuration in a specific manner.

Impact

The arbitrary code can be executed as the OS user for the importer process. Consequently, the code can access any import host resources that are available to the importer user account.

Solution

If you are using an affected version of Metadata Hub or Authorization Gateway, we recommend that you upgrade to Version 4.1.4.9, 4.1.5.11, 4.1.6.12, 4.2.1.7, 4.2.2.9, 4.2.3.5, or 4.3.1.1 (or a later version).

If you cannot upgrade at this time, you can mitigate the vulnerability in the short term by updating your Metadata Hub and Authorization Gateway server configurations. For information about the recommended configuration, please contact Ab Initio Support (support@abinitio.com).

Credits

Ab Initio thanks Michele Mariani and Davide Turaccio of InTheCyber Group for responsibly reporting the identified issue and working with us as we addressed it.