Impact
The vulnerability is a SQL misconfiguration in the Apache Gravitino user interface that exists in releases 1.0.0 and earlier. A malicious user can craft input that results in the ability to read files from the filesystem or truncate them, thereby classified as CWE‑89, a classic SQL Injection weakness that compromises confidentiality and integrity of stored data.
Affected Systems
The affected product is Apache Software Foundation’s Apache Gravitino, versions 1.0.0 and below. No specific CPE strings or sub‑product identifiers are listed; therefore the entire base product as shipped before the 1.0.0 release is impacted. Users running these versions should be aware that the UI component lacks proper sanitization of user input leading to the SQL flaw.
Risk and Exploitability
The CVSS score is 5.4, EPSS is not provided, so the exact likelihood of exploitation cannot be quantified. The vulnerability is not listed in CISA’s KEV catalog, suggesting no publicly known exploitation yet. Because the flaw is exposed through the Gravitino UI, the likely attack vector is local or involves authenticated users with UI access; no external network attack was documented. Mitigating the risk requires applying the post‑1.0.0 fix and ensuring that only trusted users can interact with the UI or execute administration commands.
OpenCVE Enrichment