Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
6 vulnerabilities found for eventmesh by apache
CVE-2024-39954 (GCVE-0-2024-39954)
Vulnerability from cvelistv5 – Published: 2025-08-20 08:56 – Updated: 2025-08-20 13:20
VLAI
Title
Apache EventMesh Runtime: SSRF
Summary
CWE-918 Server-Side Request Forgery (SSRF) in eventmesh-runtime module in WebhookUtil.java on windows\linux\mac os e.g. allows the attacker can abuse functionality on the server to read or update internal resources.
Users are recommended to upgrade to version 1.12.0 or use the master branch , which fixes this issue.
Severity
6.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://lists.apache.org/thread/v6c96zygqx8xc2k3n… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache EventMesh Runtime |
Affected:
1.6.0 , ≤ 1.11.0
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-39954",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-20T13:19:23.904981Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-20T13:20:27.851Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "org.apache.eventmesh:eventmesh-runtime",
"product": "Apache EventMesh Runtime",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "1.11.0",
"status": "affected",
"version": "1.6.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Mak1r 808 \u003c808mak1r@gmail.com\u003e"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "CWE-918 Server-Side Request Forgery (SSRF) in eventmesh-runtime module in \u003cspan style=\"background-color: rgba(0, 0, 0, 0.06);\"\u003eWebhookUtil.java\u003c/span\u003e on windows\\linux\\mac os e.g. allows the attacker can abuse functionality on the server to read or update internal resources.\u003cbr\u003eUsers are recommended to upgrade to version 1.12.0 or use the master branch , which fixes this issue."
}
],
"value": "CWE-918 Server-Side Request Forgery (SSRF) in eventmesh-runtime module in WebhookUtil.java on windows\\linux\\mac os e.g. allows the attacker can abuse functionality on the server to read or update internal resources.\nUsers are recommended to upgrade to version 1.12.0 or use the master branch , which fixes this issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "low"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-20T08:56:41.560Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/v6c96zygqx8xc2k3n2d59mgnm5txhkon"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache EventMesh Runtime: SSRF",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-39954",
"datePublished": "2025-08-20T08:56:41.560Z",
"dateReserved": "2024-07-05T03:29:51.640Z",
"dateUpdated": "2025-08-20T13:20:27.851Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-56180 (GCVE-0-2024-56180)
Vulnerability from cvelistv5 – Published: 2025-02-14 13:34 – Updated: 2025-02-18 15:10
VLAI
Title
Apache EventMesh: raft Hessian Deserialization Vulnerability allowing remote code execution
Summary
CWE-502 Deserialization of Untrusted Data at the eventmesh-meta-raft plugin module in Apache EventMesh master branch without release version on windows\linux\mac os e.g. platforms allows attackers to send controlled message and remote code execute via hessian deserialization rpc protocol. Users can use the code under the master branch in project repo or version 1.11.0 to fix this issue.
Severity
9.8 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-502 - Deserialization of Untrusted Data
Assigner
References
2 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache EventMesh |
Affected:
1.10.1 , < 1.11.0
(semver)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-02-14T17:02:37.296Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/02/14/7"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-56180",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-18T15:09:26.643766Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-18T15:10:16.650Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "org.apache.eventmesh:eventmesh-meta-raft",
"product": "Apache EventMesh",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "1.11.0",
"status": "affected",
"version": "1.10.1",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "yulate"
},
{
"lang": "en",
"type": "reporter",
"value": "Au5t1n"
},
{
"lang": "en",
"type": "reporter",
"value": "h3h3qaq"
},
{
"lang": "en",
"type": "reporter",
"value": "X1r0z"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eCWE-502 Deserialization of Untrusted Data at the eventmesh-meta-raft\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;plugin\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;module in Apache EventMesh master branch without release version on windows\\linux\\mac os e.g. platforms allows attackers to send controlled message and \u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eremote code execute\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;via hessian d\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eeserialization rpc protocol\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e. Users can use the code under the master branch in project repo or version 1.11.0 to fix this issue.\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "CWE-502 Deserialization of Untrusted Data at the eventmesh-meta-raft\u00a0plugin\u00a0module in Apache EventMesh master branch without release version on windows\\linux\\mac os e.g. platforms allows attackers to send controlled message and remote code execute\u00a0via hessian deserialization rpc protocol. Users can use the code under the master branch in project repo or version 1.11.0 to fix this issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-14T15:27:57.229Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/k9fw0t5r7t1vbx53gs8d1r8c54rhx0wd"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache EventMesh: raft Hessian Deserialization Vulnerability allowing remote code execution",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-56180",
"datePublished": "2025-02-14T13:34:26.600Z",
"dateReserved": "2024-12-18T07:46:43.781Z",
"dateUpdated": "2025-02-18T15:10:16.650Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-26512 (GCVE-0-2023-26512)
Vulnerability from cvelistv5 – Published: 2023-07-17 07:16 – Updated: 2024-10-02 18:06
VLAI
Title
Apache EventMesh RabbitMQ-Connector plugin allows RCE through deserialization of untrusted data
Summary
CWE-502 Deserialization of Untrusted Data at the rabbitmq-connector plugin module in Apache EventMesh (incubating) V1.7.0\V1.8.0 on windows\linux\mac os e.g. platforms allows attackers to send controlled message and
remote code execute via rabbitmq messages. Users can use the code under the master branch in project repo to fix this issue, we will release the new version as soon as possible.
Severity
9.8 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-502 - Deserialization of Untrusted Data
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://lists.apache.org/thread/zb1d62wh8o8pvntrn… | vendor-advisory |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache EventMesh (incubating) RabbitMQ connector |
Affected:
1.7.0 , ≤ 1.8.0
(maven)
|
|
| apache | eventmesh |
Affected:
1.7.0 , ≤ 1.8.0
(custom)
cpe:2.3:a:apache:eventmesh:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T11:53:53.630Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/zb1d62wh8o8pvntrnx4t1hj8vz0pm39p"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apache:eventmesh:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "eventmesh",
"vendor": "apache",
"versions": [
{
"lessThanOrEqual": "1.8.0",
"status": "affected",
"version": "1.7.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-26512",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-02T18:03:04.277186Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-02T18:06:06.619Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache EventMesh (incubating) RabbitMQ connector",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "1.8.0",
"status": "affected",
"version": "1.7.0",
"versionType": "maven"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "xuxiaoyu of HW GTS shengjian lab"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "CWE-502 Deserialization of Untrusted Data\u0026nbsp;at the\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003erabbitmq-connector plugin\u003c/span\u003e\u0026nbsp;module in Apache EventMesh (incubating)\u0026nbsp;V1.7.0\\V1.8.0 on windows\\linux\\mac os e.g. platforms allows attackers\u0026nbsp;to send controlled message and \n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eremote code execute\u003c/span\u003e\u0026nbsp;via rabbitmq messages. Users can use the code under the master branch in project repo to fix this issue, we will release the new version as soon as possible."
}
],
"value": "CWE-502 Deserialization of Untrusted Data\u00a0at the\u00a0rabbitmq-connector plugin\u00a0module in Apache EventMesh (incubating)\u00a0V1.7.0\\V1.8.0 on windows\\linux\\mac os e.g. platforms allows attackers\u00a0to send controlled message and \n\nremote code execute\u00a0via rabbitmq messages. Users can use the code under the master branch in project repo to fix this issue, we will release the new version as soon as possible."
}
],
"metrics": [
{
"other": {
"content": {
"text": "critical"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-07-27T09:32:27.341Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/zb1d62wh8o8pvntrnx4t1hj8vz0pm39p"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache EventMesh RabbitMQ-Connector plugin allows RCE through deserialization of untrusted data",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2023-26512",
"datePublished": "2023-07-17T07:16:12.413Z",
"dateReserved": "2023-02-24T08:43:05.213Z",
"dateUpdated": "2024-10-02T18:06:06.619Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-39954 (GCVE-0-2024-39954)
Vulnerability from nvd – Published: 2025-08-20 08:56 – Updated: 2025-08-20 13:20
VLAI
Title
Apache EventMesh Runtime: SSRF
Summary
CWE-918 Server-Side Request Forgery (SSRF) in eventmesh-runtime module in WebhookUtil.java on windows\linux\mac os e.g. allows the attacker can abuse functionality on the server to read or update internal resources.
Users are recommended to upgrade to version 1.12.0 or use the master branch , which fixes this issue.
Severity
6.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://lists.apache.org/thread/v6c96zygqx8xc2k3n… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache EventMesh Runtime |
Affected:
1.6.0 , ≤ 1.11.0
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-39954",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-20T13:19:23.904981Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-20T13:20:27.851Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "org.apache.eventmesh:eventmesh-runtime",
"product": "Apache EventMesh Runtime",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "1.11.0",
"status": "affected",
"version": "1.6.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Mak1r 808 \u003c808mak1r@gmail.com\u003e"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "CWE-918 Server-Side Request Forgery (SSRF) in eventmesh-runtime module in \u003cspan style=\"background-color: rgba(0, 0, 0, 0.06);\"\u003eWebhookUtil.java\u003c/span\u003e on windows\\linux\\mac os e.g. allows the attacker can abuse functionality on the server to read or update internal resources.\u003cbr\u003eUsers are recommended to upgrade to version 1.12.0 or use the master branch , which fixes this issue."
}
],
"value": "CWE-918 Server-Side Request Forgery (SSRF) in eventmesh-runtime module in WebhookUtil.java on windows\\linux\\mac os e.g. allows the attacker can abuse functionality on the server to read or update internal resources.\nUsers are recommended to upgrade to version 1.12.0 or use the master branch , which fixes this issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "low"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-20T08:56:41.560Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/v6c96zygqx8xc2k3n2d59mgnm5txhkon"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache EventMesh Runtime: SSRF",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-39954",
"datePublished": "2025-08-20T08:56:41.560Z",
"dateReserved": "2024-07-05T03:29:51.640Z",
"dateUpdated": "2025-08-20T13:20:27.851Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-56180 (GCVE-0-2024-56180)
Vulnerability from nvd – Published: 2025-02-14 13:34 – Updated: 2025-02-18 15:10
VLAI
Title
Apache EventMesh: raft Hessian Deserialization Vulnerability allowing remote code execution
Summary
CWE-502 Deserialization of Untrusted Data at the eventmesh-meta-raft plugin module in Apache EventMesh master branch without release version on windows\linux\mac os e.g. platforms allows attackers to send controlled message and remote code execute via hessian deserialization rpc protocol. Users can use the code under the master branch in project repo or version 1.11.0 to fix this issue.
Severity
9.8 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-502 - Deserialization of Untrusted Data
Assigner
References
2 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache EventMesh |
Affected:
1.10.1 , < 1.11.0
(semver)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-02-14T17:02:37.296Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/02/14/7"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-56180",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-18T15:09:26.643766Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-18T15:10:16.650Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "org.apache.eventmesh:eventmesh-meta-raft",
"product": "Apache EventMesh",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "1.11.0",
"status": "affected",
"version": "1.10.1",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "yulate"
},
{
"lang": "en",
"type": "reporter",
"value": "Au5t1n"
},
{
"lang": "en",
"type": "reporter",
"value": "h3h3qaq"
},
{
"lang": "en",
"type": "reporter",
"value": "X1r0z"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eCWE-502 Deserialization of Untrusted Data at the eventmesh-meta-raft\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;plugin\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;module in Apache EventMesh master branch without release version on windows\\linux\\mac os e.g. platforms allows attackers to send controlled message and \u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eremote code execute\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;via hessian d\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eeserialization rpc protocol\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e. Users can use the code under the master branch in project repo or version 1.11.0 to fix this issue.\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "CWE-502 Deserialization of Untrusted Data at the eventmesh-meta-raft\u00a0plugin\u00a0module in Apache EventMesh master branch without release version on windows\\linux\\mac os e.g. platforms allows attackers to send controlled message and remote code execute\u00a0via hessian deserialization rpc protocol. Users can use the code under the master branch in project repo or version 1.11.0 to fix this issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-14T15:27:57.229Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/k9fw0t5r7t1vbx53gs8d1r8c54rhx0wd"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache EventMesh: raft Hessian Deserialization Vulnerability allowing remote code execution",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-56180",
"datePublished": "2025-02-14T13:34:26.600Z",
"dateReserved": "2024-12-18T07:46:43.781Z",
"dateUpdated": "2025-02-18T15:10:16.650Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-26512 (GCVE-0-2023-26512)
Vulnerability from nvd – Published: 2023-07-17 07:16 – Updated: 2024-10-02 18:06
VLAI
Title
Apache EventMesh RabbitMQ-Connector plugin allows RCE through deserialization of untrusted data
Summary
CWE-502 Deserialization of Untrusted Data at the rabbitmq-connector plugin module in Apache EventMesh (incubating) V1.7.0\V1.8.0 on windows\linux\mac os e.g. platforms allows attackers to send controlled message and
remote code execute via rabbitmq messages. Users can use the code under the master branch in project repo to fix this issue, we will release the new version as soon as possible.
Severity
9.8 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-502 - Deserialization of Untrusted Data
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://lists.apache.org/thread/zb1d62wh8o8pvntrn… | vendor-advisory |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache EventMesh (incubating) RabbitMQ connector |
Affected:
1.7.0 , ≤ 1.8.0
(maven)
|
|
| apache | eventmesh |
Affected:
1.7.0 , ≤ 1.8.0
(custom)
cpe:2.3:a:apache:eventmesh:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T11:53:53.630Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/zb1d62wh8o8pvntrnx4t1hj8vz0pm39p"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apache:eventmesh:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "eventmesh",
"vendor": "apache",
"versions": [
{
"lessThanOrEqual": "1.8.0",
"status": "affected",
"version": "1.7.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-26512",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-02T18:03:04.277186Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-02T18:06:06.619Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache EventMesh (incubating) RabbitMQ connector",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "1.8.0",
"status": "affected",
"version": "1.7.0",
"versionType": "maven"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "xuxiaoyu of HW GTS shengjian lab"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "CWE-502 Deserialization of Untrusted Data\u0026nbsp;at the\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003erabbitmq-connector plugin\u003c/span\u003e\u0026nbsp;module in Apache EventMesh (incubating)\u0026nbsp;V1.7.0\\V1.8.0 on windows\\linux\\mac os e.g. platforms allows attackers\u0026nbsp;to send controlled message and \n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eremote code execute\u003c/span\u003e\u0026nbsp;via rabbitmq messages. Users can use the code under the master branch in project repo to fix this issue, we will release the new version as soon as possible."
}
],
"value": "CWE-502 Deserialization of Untrusted Data\u00a0at the\u00a0rabbitmq-connector plugin\u00a0module in Apache EventMesh (incubating)\u00a0V1.7.0\\V1.8.0 on windows\\linux\\mac os e.g. platforms allows attackers\u00a0to send controlled message and \n\nremote code execute\u00a0via rabbitmq messages. Users can use the code under the master branch in project repo to fix this issue, we will release the new version as soon as possible."
}
],
"metrics": [
{
"other": {
"content": {
"text": "critical"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-07-27T09:32:27.341Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/zb1d62wh8o8pvntrnx4t1hj8vz0pm39p"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache EventMesh RabbitMQ-Connector plugin allows RCE through deserialization of untrusted data",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2023-26512",
"datePublished": "2023-07-17T07:16:12.413Z",
"dateReserved": "2023-02-24T08:43:05.213Z",
"dateUpdated": "2024-10-02T18:06:06.619Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}