=====================================================================

                             CERT-Renater

                  Note d'Information No. 2023/VULN128

_____________________________________________________________________

DATE                : 29/03/2023

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Apache UIMA.

=====================================================================
https://lists.apache.org/thread/r19z14b9rrfxv72r93q5trq5tyffo75g
_____________________________________________________________________

CVE-2023-28935: Apache UIMA DUCC: DUCC (EOL) allows RCE
Severity: moderate


Description:

** UNSUPPORTED WHEN ASSIGNED ** Improper Neutralization of Special
Elements used in a Command ('Command Injection') vulnerability in
Apache Software Foundation Apache UIMA DUCC.


When using the "Distributed UIMA Cluster Computing" (DUCC) module
of Apache UIMA, an authenticated user that has the permissions to
modify core entities can cause command execution as the system user
that runs the web process.


As the "Distributed UIMA Cluster Computing" module for UIMA is
retired, we do not plan to release a fix for this issue.
NOTE: This vulnerability only affects products that are no longer
supported by the maintainer.


Credit:

Crilwa (finder)


References:

https://uima.apache.org/
https://www.cve.org/CVERecord?id=CVE-2023-28935



=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================