Unrestricted access to Apache HugeGraph
Description
Apache HugeGraph is a graph database compatible with Apache TinkerPop3 and the Gremlin query language. This vulnerability occurs when HugeGraph is deployed without authentication enabled, allowing unrestricted access to the HugeGraph API. By default, HugeGraph does not enforce authentication, leaving the database and its API endpoints publicly accessible to anyone who can reach the service.
Remediation
Enable authentication for Apache HugeGraph by configuring the StandardAuthenticator. Follow these steps:
1. Edit the gremlin-server.yaml file and add the authentication configuration:
authentication: {
authenticator: org.apache.hugegraph.auth.StandardAuthenticator,
authenticationHandler: org.apache.hugegraph.auth.WsAndHttpBasicAuthHandler,
config: {tokens: conf/rest-server.properties}
}2. Edit the
rest-server.properties file and enable authentication:auth.authenticator=org.apache.hugegraph.auth.StandardAuthenticator auth.admin_token=your-secure-admin-token-here
3. Restart the HugeGraph server to apply the changes.
4. After restart, create user accounts through the HugeGraph API using the admin token, rather than relying on default credentials. Ensure all default passwords are changed and strong authentication tokens are used for production environments.