CVE-2024-49194: Databricks JDBC Driver Command Injection vulnerability

December 17, 2024 (updated December 18, 2024)

Databricks JDBC Driver before 2.6.40 could potentially allow remote code execution (RCE) by triggering a JNDI injection via a JDBC URL parameter. The vulnerability is rooted in the improper handling of the krbJAASFile parameter. An attacker could potentially exploit this vulnerability to achieve Remote Code Execution in the context of the driver by tricking a victim into using a crafted connection URL that uses the property krbJAASFile.

References

github.com/advisories/GHSA-jxw2-jvxf-5vrp
kb.databricks.com/en_US/data-sources/security-bulletin-databricks-jdbc-driver-vulnerability-advisory-cve-2024-49194
nvd.nist.gov/vuln/detail/CVE-2024-49194

Detect and mitigate CVE-2024-49194 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →