Lucene search

Veracode Vulnerability DatabaseVERACODE:44914

HistoryJan 02, 2024 - 10:03 a.m.

Remote Code Execution

2024-01-0210:03:14

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

vulnerability

remote code execution

org.jeasy

easy-rules-mvel

class files

zer files

application

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

7.9 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

42.2%

JSON

org.jeasy, easy-rules-mvel is vulnerable to Remote Code Execution (RCE). The vulnerability is due to the execution of class files with the same name as the Zer file from methods then and when while loading Zer files into an application. An attacker can write a class file with same name as a Zer file (passed as an argument to then and when methods) into the current class path leading to Remote Code Execution (RCE) when that Zer file is loaded into the application.

CPENameOperatorVersion
easy rules mvel modulele4.1.0
easy rules mvel modulele4.1.0

CPE	Name	Operator	Version
	easy rules mvel module	le	4.1.0
	easy rules mvel module	le	4.1.0

References

github.com/foyaga/blog-timeline/issues/59

github.com/j-easy/easy-rules/issues/419

github.com/y1ong/blog-timeline/issues/347

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

7.9 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

42.2%

JSON

Related for VERACODE:44914