CVE-2023-45146 – com.xuxueli:xxl-rpc-core

Package

Manager: maven
Name: com.xuxueli:xxl-rpc-core
Vulnerable Version: >=0 <=1.7.0

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

EPSS: 0.04171 pctl0.88244

Details

XXL-RPC Deserialization of Untrusted Data vulnerability XXL-RPC is a high performance, distributed RPC framework. With it, a TCP server can be set up using the Netty framework and the Hessian serialization mechanism. When such a configuration is used, attackers may be able to connect to the server and provide malicious serialized objects that, once deserialized, force it to execute arbitrary code. This can be abused to take control of the machine the server is running by way of remote code execution. This issue has not been fixed.

Metadata

Created: 2024-08-05T21:29:22Z
Modified: 2024-08-05T21:29:22Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/08/GHSA-f984-3wx8-grp9/GHSA-f984-3wx8-grp9.json
CWE IDs: ["CWE-502"]
Alternative ID: GHSA-f984-3wx8-grp9
Finding: F096
Auto approve: 1