CVE-2024-55551

moderate-risk
Published 2025-03-19

An issue was discovered in Exasol JDBC driver before 24.2.1 (2024-12-10). Attackers can inject malicious parameters into the JDBC URL, triggering JNDI injection during the process when the JDBC Driver uses this URL to connect to the database. This can further lead to remote code execution.

Do I need to act?

-
0.51% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
8
CVSS 8.3/10 High
NETWORK / HIGH complexity

Affected Products (1)

Jdbc Driver

Affected Vendors

Exasol

References (4)

Release Notes https://docs.exasol.com/db/7.1/release_notes_drivers_jdbc/24.2.1.htm
Product https://docs.exasol.com/db/latest/connect_exasol/drivers/jdbc.htm
Third Party Advisory https://gist.github.com/azraelxuemo/9565ec9219e0c3e9afd5474904c39d0f
Technical Description https://www.blackhat.com/eu-24/briefings/schedule/index.html#a-novel-attack-surf...
32
/ 100
moderate-risk
Severity 25/34 · High
Exploitability 2/34 · Minimal
Exposure 5/34 · Minimal