CVE-2023-51982: 
Java vulnerability analysis and mitigation

CrateDB 5.5.1 contains an authentication bypass vulnerability in the Admin UI component. The vulnerability was discovered on December 21, 2023, and allows attackers to bypass password authentication when accessing the Admin UI directly using the default user identity. This is achieved by setting the X-Real-IP request header to a specific value when local address authentication is configured (GitHub Issue).

The vulnerability exists in the authentication mechanism of CrateDB's Admin UI component. When host-based authentication is enabled with local address configuration, the system checks if the IP address matches '127.0.0.1' or '::1'. The vulnerability can be exploited by manipulating the X-Real-IP request header to these values, allowing unauthorized access. The issue has been assigned a CVSS v3.1 base score of 9.8 CRITICAL (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) (NVD).

A successful exploitation of this vulnerability allows attackers to bypass authentication and gain unauthorized access to the Admin UI with default user privileges. This could potentially lead to complete system compromise as the attacker would have administrative access to the database management interface (GitHub Issue).

The vulnerability affects CrateDB version 5.5.1. Users should monitor for updates from CrateDB for a patched version. In the meantime, organizations should carefully review their authentication configurations and consider implementing additional security controls such as network-level access restrictions (NVD).