CVE-2024-36265 – This CVE describes an incorrect authorization v... (How to Fix)

Q: What is the severity of CVE-2024-36265?

CVE-2024-36265 has a CVSS score of 9.8 (CRITICAL). This CVE describes an incorrect authorization vulnerability in Apache Submarine Server Core that allows unauthorized access to sensitive functionality. It affects all versions from 0.8.0 onward. Since the project is retired, no official fix will be released, leaving users with vulnerable installations.

📋 TL;DR

This CVE describes an incorrect authorization vulnerability in Apache Submarine Server Core that allows unauthorized access to sensitive functionality. It affects all versions from 0.8.0 onward. Since the project is retired, no official fix will be released, leaving users with vulnerable installations.

💻 Affected Systems

Products:

Apache Submarine Server Core

Versions: 0.8.0 and later

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: This vulnerability affects the entire Apache Submarine project, which has been retired. No supported versions exist.

📦 What is this software?

Submarine by Apache

View all CVEs affecting Submarine →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the Submarine Server instance, allowing attackers to execute arbitrary operations, access sensitive data, or take full control of the system.

🟠

Likely Case

Unauthorized users gaining access to administrative functions or sensitive data they shouldn't have permission to access.

🟢

If Mitigated

Limited impact if proper network segmentation and access controls prevent unauthorized users from reaching the vulnerable service.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires understanding of the authorization bypass mechanism, but no public exploit code has been released.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: None

Vendor Advisory: https://lists.apache.org/thread/prckhhst19qxof064hsm8cccxtofvflz

Restart Required: No

Instructions:

No official patch exists. The project is retired and will not receive fixes.

🔧 Temporary Workarounds

Restrict Network Access

linux

Limit access to the Submarine Server to trusted networks only using firewall rules.

iptables -A INPUT -p tcp --dport [SUBMARINE_PORT] -s [TRUSTED_NETWORK] -j ACCEPT
iptables -A INPUT -p tcp --dport [SUBMARINE_PORT] -j DROP

🧯 If You Can't Patch

Migrate to an alternative supported platform as recommended by Apache.
Implement strict network segmentation and access controls to limit exposure.

🔍 How to Verify

Check if Vulnerable:

Check if Apache Submarine Server version is 0.8.0 or later.

Check Version:

Check the Submarine Server configuration files or documentation for version information.

Verify Fix Applied:

Verify that the service is no longer accessible from untrusted networks or has been decommissioned.

📡 Detection & Monitoring

Log Indicators:

Unauthorized access attempts to administrative endpoints
Unexpected user actions from non-admin accounts

Network Indicators:

Unusual traffic patterns to Submarine Server ports from unauthorized sources

SIEM Query:

source="submarine_server" AND (event_type="auth_failure" OR user="unauthorized")

📊 Metadata

CVE ID: CVE-2024-36265

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-863

Published: June 12, 2024

Last Updated: March 19, 2025

🔗 References

http://www.openwall.com/lists/oss-security/2024/06/12/3 Mailing List
https://lists.apache.org/thread/prckhhst19qxof064hsm8cccxtofvflz Mailing List,Vendor Advisory
http://www.openwall.com/lists/oss-security/2024/06/12/3 Mailing List
https://lists.apache.org/thread/prckhhst19qxof064hsm8cccxtofvflz Mailing List,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-36265, you might also want to check these: