2 matches found
CVE-2023-38647
CVE-2023-38647 describes a deserialization vulnerability in Apache Helix workflow and REST where SnakeYAML can deserialize java.net.URLClassLoader to load a JAR from a URL, and then javax.script.ScriptEngineManager to execute code with that ClassLoader. This unbounded deserialization can likely l...
CVE-2024-22281
The CVE-2024-22281 entry concerns Apache Helix Front (UI). The vulnerability is caused by a hard-coded secret in the express-session usage, enabling session spoofing via forged cookies across all versions of the Front UI. Public details state that the project is retired and no fix will be release...