Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2026/VULN450
_____________________________________________________________________

DATE                : 04/05/2026

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Apache Atlas versions prior to
                                         9.2.0435.

=====================================================================
https://lists.apache.org/thread/gjzhjs28d55m7h4zhwjgb7wpcj6zykbh
_____________________________________________________________________

CVE-2026-40563: Apache Atlas: Script injection allows access to
unintended data

Severity: important 

Affected versions:

- Apache Atlas (org.apache.atlas:atlas-repository) 0.8 through 2.4.0

Description:

Description:
Improper Control of Generation of Code ('Code Injection') vulnerability
in Apache Atlas
Apache Atlas exposes a DSL search endpoint that accepts user-supplied
query strings. Attacker can alter Gremlin traversal logic within
grammar-allowed characters to access unintended data


Affect Version:
This issue affects Apache Atlas: from 0.8 through 2.4.0.

For the affect version >= 2.0, vulnerability is only when Atlas is
deployed with below non-default configuration.


atlas.dsl.executor.traversal=false


Mitigation:
Users are recommended to upgrade to version 2.5.0, which fixes the
issue.


Credit:

Khaled M. Alshammri (finder)
qx L (finder)


References:

https://atlas.apache.org/
https://www.cve.org/CVERecord?id=CVE-2026-40563


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================