We use cookies to improve your experience on our site.
AVID-2026-R1553
Description
Vulnerability CVE-2024-49194
Details
Databricks JDBC Driver 2.x before 2.6.40 could potentially allow remote code execution (RCE) by triggering a JNDI injection via a JDBC URL parameter. The vulnerability is rooted in the improper handling of the krbJAASFile parameter. An attacker could potentially exploit this vulnerability to achieve Remote Code Execution in the context of the driver by tricking a victim into using a crafted connection URL that uses the property krbJAASFile.
Reason for inclusion in AVID: CVE-2024-49194 describes remote code execution via the Databricks JDBC Driver, a software component commonly used in AI data ingestion and pipeline tooling. This is a software supply-chain vulnerability affecting a component used to build/train/run AI systems, with clear RCE risk. Hardware/firmware is not implicated; the issue is in a software dependency relevant to AI workflows, and the report provides explicit vulnerability details.
References
- NVD entry
- https://kb.databricks.com/en_US/data-sources/security-bulletin-databricks-jdbc-driver-vulnerability-advisory-cve-2024-49194
Affected or Relevant Artifacts
- Developer: n/a
- Deployer: n/a
- Artifact Details:
| Type | Name |
|---|---|
| System | n/a |
Impact
AVID Taxonomy Categorization
- Risk domains: Security
- SEP subcategories: S0100: Software Vulnerability
- Lifecycle stages: L06: Deployment
Other information
- Report Type: Advisory
- Credits:
- Date Reported: 2024-12-17
- Version: 0.3.3
- AVID Entry