CVE-2024-56180 – org.apache.eventmesh:eventmesh-meta-raft

Package

Manager: maven
Name: org.apache.eventmesh:eventmesh-meta-raft
Vulnerable Version: >=1.10.1 <1.11.0

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00611 pctl0.68868

Details

Apache EventMesh: raft Hessian Deserialization Vulnerability allowing remote code execution CWE-502 Deserialization of Untrusted Data at the eventmesh-meta-raft plugin module in Apache EventMesh master branch without release version on windows\linux\mac os e.g. platforms allows attackers to send controlled message and remote code execute via hessian deserialization rpc protocol. Users can use the code under the master branch in project repo or version 1.11.0 to fix this issue.

Metadata

Created: 2025-02-14T15:31:05Z
Modified: 2025-02-19T17:48:09Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/02/GHSA-ffvr-gmp3-xx43/GHSA-ffvr-gmp3-xx43.json
CWE IDs: ["CWE-502"]
Alternative ID: GHSA-ffvr-gmp3-xx43
Finding: F096
Auto approve: 1