CVE-2023-26512 – org.apache.eventmesh:eventmesh-connector-rabbitmq

Package

Manager: maven
Name: org.apache.eventmesh:eventmesh-connector-rabbitmq
Vulnerable Version: >=1.7.0 <=1.8.0

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00073 pctl0.22707

Details

rabbitmq-connector plugin module in Apache EventMesh platforms allows attackers to send controlled message CWE-502 Deserialization of Untrusted Data at the rabbitmq-connector plugin module in Apache EventMesh (incubating) V1.7.0\V1.8.0 on windows\linux\mac os e.g. platforms allows attackers to send controlled message and remote code execute via rabbitmq messages. Users can use the code under the master branch in project repo to fix this issue, the new version is set to be released as soon as possible.

Metadata

Created: 2023-07-17T09:30:23Z
Modified: 2023-07-28T21:37:28Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-fj8f-56wc-q36r/GHSA-fj8f-56wc-q36r.json
CWE IDs: ["CWE-502"]
Alternative ID: GHSA-fj8f-56wc-q36r
Finding: F096
Auto approve: 1