cbcvebase.
CVE-2017-11467
published 2017-07-20

CVE-2017-11467: OrientDB through 2.2.22 does not enforce privilege requirements during "where" or "fetchplan" or "order by" use, which allows remote attackers to execute…

PriorityP189critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
73.07%
99.4th percentile
OrientDB through 2.2.22 does not enforce privilege requirements during "where" or "fetchplan" or "order by" use, which allows remote attackers to execute arbitrary OS commands via a crafted request.

Affected

1 ranges
VendorProductVersion rangeFixed in
orientdborientdb<= 2.2.22

Detection & IOCsextracted from sources · hover to see the quote

port2480
url/document/{db}/-1:-1
url/function/{db}/{func_name}
url/document/{db}/{func_id}
commandselect * from oRole order by name;
  • Detect unauthenticated or low-privileged (writer/reader) HTTP POST requests to the OrientDB REST API endpoints /document/ and /function/ — exploitation uses the default 'writer:writer' credentials to create and invoke a malicious Groovy function.
  • Alert on OrientDB SQL queries containing 'oRole' combined with 'order by', 'where', or 'fetchplan' clauses issued by non-admin users — this is the privilege-bypass vector.
  • Monitor for creation of Groovy functions via the OrientDB REST API (/document/ POST) followed immediately by invocation via /function/ POST — this two-step pattern is the exploitation sequence.
  • Detect GRANT privilege escalation queries targeting 'database.class.ouser', 'database.function', and 'database.systemclusters' issued by the writer role — these are used to self-escalate before exploitation.
  • Flag processes spawned by the OrientDB JVM that create named pipes (mkfifo /tmp/f) or invoke netcat (nc) — indicative of the reverse shell payload delivered via the unsandboxed Groovy executor.
  • ·The exploit works even if the admin password has been changed, because it relies on the default 'writer' user (password 'writer') that is automatically created for every new OrientDB database.
  • ·All OrientDB versions from 2.2.2 up to and including 2.2.22 are vulnerable; the default TCP port is 2480.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.