CVE-2024-49194

Name of the Vulnerable Software and Affected Versions Databricks JDBC Driver versions prior to 2.6.40

Description The issue is related to the improper handling of the krbJAASFile parameter, allowing a remote attacker to execute arbitrary code by triggering a JNDI injection via a JDBC URL parameter. This could potentially lead to remote code execution in the context of the driver. An attacker could exploit this by tricking a victim into using a crafted connection URL that uses the krbJAASFile property.

Recommendations For Databricks JDBC Driver versions prior to 2.6.40, update to version 2.6.40 or later to resolve the issue. As a temporary workaround, consider applying the recommended JVM configuration changes until a patch is available. Restrict access to the krbJAASFile parameter to minimize the risk of exploitation.