Apache UIMA DUCC: DUCC (EOL) allows RCE
Description
Authenticated users with permissions to modify core entities in Apache UIMA DUCC can execute arbitrary commands as the system user due to command injection.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Authenticated users with permissions to modify core entities in Apache UIMA DUCC can execute arbitrary commands as the system user due to command injection.
Vulnerability
Overview CVE-2023-28935 is a command injection vulnerability in the Apache UIMA DUCC (Distributed UIMA Cluster Computing) module. The root cause is improper neutralization of special elements used in a command, allowing an authenticated user to inject arbitrary commands [1].
Exploitation
An attacker must be authenticated and have permissions to modify core entities within the DUCC web application. The attack surface is the web process, and the attacker can trigger command execution without requiring direct access to the underlying system [1].
Impact
Successful exploitation allows the attacker to execute arbitrary commands as the system user that runs the web process. This can lead to full system compromise, including unauthorized access, data exfiltration, and further lateral movement [1].
Mitigation
The Apache UIMA DUCC project was retired on December 21, 2022, and is no longer maintained. No patches will be released. Users are strongly advised to migrate to supported alternatives. The source code remains available for archival reference [2].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.uima:uima-ducc-parentMaven | <= 3.0.0 | — |
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-34m5-796p-mjcpghsaADVISORY
- lists.apache.org/thread/r19z14b9rrfxv72r93q5trq5tyffo75gghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2023-28935ghsaADVISORY
News mentions
0No linked articles in our index yet.