Lucene search

GitHub Advisory DatabaseGHSA-FJ8F-56WC-Q36R

HistoryJul 17, 2023 - 9:30 a.m.

rabbitmq-connector plugin module in Apache EventMesh platforms allows attackers to send controlled message

2023-07-1709:30:23

CWE-502

GitHub Advisory Database

github.com

apache eventmesh

rabbitmq-connector

plugin

vulnerability

cwe-502

deserialization of untrusted data

remote code execute

windows

linux

mac os

update

release

security fix

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

0.007 Low

EPSS

Percentile

79.9%

JSON

CWE-502 Deserialization of Untrusted Data at the rabbitmq-connector plugin module in Apache EventMesh (incubating) V1.7.0\V1.8.0 on windows\linux\mac os e.g. platforms allows attackers to send controlled message and

remote code execute via rabbitmq messages. Users can use the code under the master branch in project repo to fix this issue, the new version is set to be released as soon as possible.

Affected configurations

Vulners

Node

rabbitmqjms_clientRange≤1.8.0rabbitmq

CPENameOperatorVersion
org.apache.eventmesh:eventmesh-connector-rabbitmqle1.8.0

CPE	Name	Operator	Version
	org.apache.eventmesh:eventmesh-connector-rabbitmq	le	1.8.0

References

github.com/advisories/GHSA-fj8f-56wc-q36r

lists.apache.org/thread/zb1d62wh8o8pvntrnx4t1hj8vz0pm39p

nvd.nist.gov/vuln/detail/CVE-2023-26512

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

0.007 Low

EPSS

Percentile

79.9%

JSON

Related for GHSA-FJ8F-56WC-Q36R