Lucene search

[email protected]CVE-2023-38647

HistoryJul 26, 2023 - 8:15 a.m.

CVE-2023-38647

2023-07-2608:15:10

CWE-502

[email protected]

web.nvd.nist.gov

cve-2023-38647

snakeyaml

deserialization

rce

java

urlclassloader

javax.script.scriptenginemanager

helix

rest

workflow

yaml

mitigation

nvd

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.5 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

55.3%

JSON

An attacker can use SnakeYAML to deserialize java.net.URLClassLoader and make it load a JAR from a specified URL, and then deserialize javax.script.ScriptEngineManager to load code using that ClassLoader. This unbounded deserialization can likely lead to remote code execution. The code can be run in Helix REST start and Workflow creation.

Affect all the versions lower and include 1.2.0.

Affected products: helix-core, helix-rest

Mitigation: Short term, stop using any YAML based configuration and workflow creation.
Long term, all Helix version bumping up to 1.3.0

Affected configurations

Vulners

NVD

Node

apachehelixRange≤1.2.0

CPENameOperatorVersion
apache:helixapache helixlt1.3.0

CPE	Name	Operator	Version
apache:helix	apache helix	lt	1.3.0

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "Apache Helix",
    "vendor": "Apache Software Foundation",
    "versions": [
      {
        "lessThanOrEqual": "1.2.0",
        "status": "affected",
        "version": "0",
        "versionType": "maven"
      }
    ]
  }
]