CVE-2024-27438

Name of the Vulnerable Software and Affected Versions Apache Doris versions 1.2.0 through 2.0.4

Description The issue is related to the download of code without integrity check in Apache Doris, which may result in remote command execution. An attacker authorized to create a JDBC catalog can use an arbitrary driver jar file with an unchecked code snippet, which will be run when the catalog is initializing without any check.

Recommendations For Apache Doris versions 1.2.0 through 2.0.4, users are recommended to upgrade to version 2.0.5 or 2.1.x, which fixes the issue. As a temporary workaround, consider restricting access to the JDBC catalog creation functionality to minimize the risk of exploitation. Additionally, avoid using arbitrary driver jar files with unchecked code snippets in the affected API endpoints until the issue is resolved.