CVE-2024-49194

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-49194
Databricks JDBC Driver 2.x before 2.6.40 could potentially allow remote code execution (RCE) by triggering a JNDI injection via a JDBC URL parameter. The vulnerability is rooted in the improper handling of the krbJAASFile parameter. An attacker could potentially exploit this vulnerability to achieve Remote Code Execution in the context of the driver by tricking a victim into using a crafted connection URL that uses the property krbJAASFile.

7.3 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.1 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://kb.databricks.com/en_US/data-sources/security-bulletin-databricks-jdbc-driver-vulnerability-advisory-cve-2024-49194
Configurations

No configuration.

History

02 Jul 2025, 12:15

Type Values Removed Values Added
Summary
  • (es) Databricks JDBC Driver anterior a la versión 2.6.40 podría permitir la ejecución remota de código (RCE) al activar una inyección JNDI a través de un parámetro URL de JDBC. La vulnerabilidad tiene su raíz en la gestión inadecuada del parámetro krbJAASFile. Un atacante podría explotar esta vulnerabilidad para lograr la ejecución remota de código en el contexto del controlador engañando a una víctima para que use una URL de conexión manipulada que use la propiedad krbJAASFile.
Summary (en) Databricks JDBC Driver before 2.6.40 could potentially allow remote code execution (RCE) by triggering a JNDI injection via a JDBC URL parameter. The vulnerability is rooted in the improper handling of the krbJAASFile parameter. An attacker could potentially exploit this vulnerability to achieve Remote Code Execution in the context of the driver by tricking a victim into using a crafted connection URL that uses the property krbJAASFile. (en) Databricks JDBC Driver 2.x before 2.6.40 could potentially allow remote code execution (RCE) by triggering a JNDI injection via a JDBC URL parameter. The vulnerability is rooted in the improper handling of the krbJAASFile parameter. An attacker could potentially exploit this vulnerability to achieve Remote Code Execution in the context of the driver by tricking a victim into using a crafted connection URL that uses the property krbJAASFile.

18 Dec 2024, 17:15

Type Values Removed Values Added
CWE CWE-77
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 7.3

17 Dec 2024, 20:15

Type Values Removed Values Added
New CVE
Information

Published : 2024-12-17 20:15

Updated : 2025-07-02 12:15

NVD link : CVE-2024-49194

Mitre link : CVE-2024-49194

CVE.ORG link : CVE-2024-49194

JSON object : View

Products Affected

No product.

CWE
CWE-77

Improper Neutralization of Special Elements used in a Command ('Command Injection')