cvelistv5 - cve-2024-56180

CVE-2024-56180 (GCVE-0-2024-56180)

Vulnerability from cvelistv5

Published

2025-02-14 13:34

Modified

2025-02-18 15:10

Severity ?

CWE

CWE-502 - Deserialization of Untrusted Data

Summary

CWE-502 Deserialization of Untrusted Data at the eventmesh-meta-raft plugin module in Apache EventMesh master branch without release version on windows\linux\mac os e.g. platforms allows attackers to send controlled message and remote code execute via hessian deserialization rpc protocol. Users can use the code under the master branch in project repo or version 1.11.0 to fix this issue.

References

▼	URL	Tags
	security@apache.org	https://lists.apache.org/thread/k9fw0t5r7t1vbx53gs8d1r8c54rhx0wd	Mailing List, Vendor Advisory, Issue Tracking
	af854a3a-2127-422b-91ae-364da2661108	http://www.openwall.com/lists/oss-security/2025/02/14/7	Mailing List, Third Party Advisory

Impacted products

	Vendor	Product	Version
	Apache Software Foundation	Apache EventMesh	Version: 1.10.1 ≤

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-02-14T17:02:37.296Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2025/02/14/7"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 9.8,
              "baseSeverity": "CRITICAL",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-56180",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-18T15:09:26.643766Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-18T15:10:16.650Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://repo.maven.apache.org/maven2",
          "defaultStatus": "unaffected",
          "packageName": "org.apache.eventmesh:eventmesh-meta-raft",
          "product": "Apache EventMesh",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThan": "1.11.0",
              "status": "affected",
              "version": "1.10.1",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "yulate"
        },
        {
          "lang": "en",
          "type": "reporter",
          "value": "Au5t1n"
        },
        {
          "lang": "en",
          "type": "reporter",
          "value": "h3h3qaq"
        },
        {
          "lang": "en",
          "type": "reporter",
          "value": "X1r0z"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eCWE-502 Deserialization of Untrusted Data at the eventmesh-meta-raft\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;plugin\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;module in Apache EventMesh master branch without release version on windows\\linux\\mac os e.g. platforms allows attackers to send controlled message and \u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eremote code execute\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;via hessian d\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eeserialization rpc protocol\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e. Users can use the code under the master branch in project repo or version 1.11.0 to fix this issue.\u003c/span\u003e\u003cbr\u003e"
            }
          ],
          "value": "CWE-502 Deserialization of Untrusted Data at the eventmesh-meta-raft\u00a0plugin\u00a0module in Apache EventMesh master branch without release version on windows\\linux\\mac os e.g. platforms allows attackers to send controlled message and remote code execute\u00a0via hessian deserialization rpc protocol. Users can use the code under the master branch in project repo or version 1.11.0 to fix this issue."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "text": "moderate"
            },
            "type": "Textual description of severity"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-502",
              "description": "CWE-502 Deserialization of Untrusted Data",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-02-14T15:27:57.229Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.apache.org/thread/k9fw0t5r7t1vbx53gs8d1r8c54rhx0wd"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Apache EventMesh: raft Hessian Deserialization Vulnerability allowing remote code execution",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2024-56180",
    "datePublished": "2025-02-14T13:34:26.600Z",
    "dateReserved": "2024-12-18T07:46:43.781Z",
    "dateUpdated": "2025-02-18T15:10:16.650Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-56180\",\"sourceIdentifier\":\"security@apache.org\",\"published\":\"2025-02-14T14:15:32.267\",\"lastModified\":\"2025-07-14T13:07:40.770\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"CWE-502 Deserialization of Untrusted Data at the eventmesh-meta-raft\u00a0plugin\u00a0module in Apache EventMesh master branch without release version on windows\\\\linux\\\\mac os e.g. platforms allows attackers to send controlled message and remote code execute\u00a0via hessian deserialization rpc protocol. Users can use the code under the master branch in project repo or version 1.11.0 to fix this issue.\"},{\"lang\":\"es\",\"value\":\"CWE-502 La deserializaci\u00f3n de datos no confiables en el m\u00f3dulo de complemento eventmesh-meta-raft en la rama maestra Apache EventMesh sin versi\u00f3n de lanzamiento en plataformas Windows\\\\Linux\\\\Mac OS, por ejemplo, permite a los atacantes enviar mensajes controlados y ejecutar c\u00f3digo remoto a trav\u00e9s del protocolo RPC de deserializaci\u00f3n hessiana. Los usuarios pueden usar el c\u00f3digo en la rama maestra en el repositorio del proyecto o la versi\u00f3n 1.11.0 para solucionar este problema.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security@apache.org\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-502\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:eventmesh:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"1.10.1\",\"versionEndExcluding\":\"1.11.0\",\"matchCriteriaId\":\"55CDF7A9-8EB7-43F5-B892-61114CE8669D\"}]}]}],\"references\":[{\"url\":\"https://lists.apache.org/thread/k9fw0t5r7t1vbx53gs8d1r8c54rhx0wd\",\"source\":\"security@apache.org\",\"tags\":[\"Mailing List\",\"Vendor Advisory\",\"Issue Tracking\"]},{\"url\":\"http://www.openwall.com/lists/oss-security/2025/02/14/7\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"http://www.openwall.com/lists/oss-security/2025/02/14/7\"}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2025-02-14T17:02:37.296Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 9.8, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-56180\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-02-18T15:09:26.643766Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-02-18T15:09:53.488Z\"}}], \"cna\": {\"title\": \"Apache EventMesh: raft Hessian Deserialization Vulnerability allowing remote code execution\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"reporter\", \"value\": \"yulate\"}, {\"lang\": \"en\", \"type\": \"reporter\", \"value\": \"Au5t1n\"}, {\"lang\": \"en\", \"type\": \"reporter\", \"value\": \"h3h3qaq\"}, {\"lang\": \"en\", \"type\": \"reporter\", \"value\": \"X1r0z\"}], \"metrics\": [{\"other\": {\"type\": \"Textual description of severity\", \"content\": {\"text\": \"moderate\"}}}], \"affected\": [{\"vendor\": \"Apache Software Foundation\", \"product\": \"Apache EventMesh\", \"versions\": [{\"status\": \"affected\", \"version\": \"1.10.1\", \"lessThan\": \"1.11.0\", \"versionType\": \"semver\"}], \"packageName\": \"org.apache.eventmesh:eventmesh-meta-raft\", \"collectionURL\": \"https://repo.maven.apache.org/maven2\", \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://lists.apache.org/thread/k9fw0t5r7t1vbx53gs8d1r8c54rhx0wd\", \"tags\": [\"vendor-advisory\"]}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"CWE-502 Deserialization of Untrusted Data at the eventmesh-meta-raft\\u00a0plugin\\u00a0module in Apache EventMesh master branch without release version on windows\\\\linux\\\\mac os e.g. platforms allows attackers to send controlled message and remote code execute\\u00a0via hessian deserialization rpc protocol. Users can use the code under the master branch in project repo or version 1.11.0 to fix this issue.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003eCWE-502 Deserialization of Untrusted Data at the eventmesh-meta-raft\u003c/span\u003e\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003e\u0026nbsp;plugin\u003c/span\u003e\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003e\u0026nbsp;module in Apache EventMesh master branch without release version on windows\\\\linux\\\\mac os e.g. platforms allows attackers to send controlled message and \u003c/span\u003e\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003eremote code execute\u003c/span\u003e\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003e\u0026nbsp;via hessian d\u003c/span\u003e\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003eeserialization rpc protocol\u003c/span\u003e\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003e. Users can use the code under the master branch in project repo or version 1.11.0 to fix this issue.\u003c/span\u003e\u003cbr\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-502\", \"description\": \"CWE-502 Deserialization of Untrusted Data\"}]}], \"providerMetadata\": {\"orgId\": \"f0158376-9dc2-43b6-827c-5f631a4d8d09\", \"shortName\": \"apache\", \"dateUpdated\": \"2025-02-14T15:27:57.229Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-56180\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-02-18T15:10:16.650Z\", \"dateReserved\": \"2024-12-18T07:46:43.781Z\", \"assignerOrgId\": \"f0158376-9dc2-43b6-827c-5f631a4d8d09\", \"datePublished\": \"2025-02-14T13:34:26.600Z\", \"assignerShortName\": \"apache\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

fkie_cve-2024-56180

Vulnerability from fkie_nvd

Published

2025-02-14 14:15

Modified

2025-07-14 13:07

Severity ?

9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

References

▼	URL	Tags
	security@apache.org	https://lists.apache.org/thread/k9fw0t5r7t1vbx53gs8d1r8c54rhx0wd	Mailing List, Vendor Advisory, Issue Tracking
	af854a3a-2127-422b-91ae-364da2661108	http://www.openwall.com/lists/oss-security/2025/02/14/7	Mailing List, Third Party Advisory

Impacted products

	Vendor	Product	Version
	apache	eventmesh	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:apache:eventmesh:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "55CDF7A9-8EB7-43F5-B892-61114CE8669D",
              "versionEndExcluding": "1.11.0",
              "versionStartIncluding": "1.10.1",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "CWE-502 Deserialization of Untrusted Data at the eventmesh-meta-raft\u00a0plugin\u00a0module in Apache EventMesh master branch without release version on windows\\linux\\mac os e.g. platforms allows attackers to send controlled message and remote code execute\u00a0via hessian deserialization rpc protocol. Users can use the code under the master branch in project repo or version 1.11.0 to fix this issue."
    },
    {
      "lang": "es",
      "value": "CWE-502 La deserializaci\u00f3n de datos no confiables en el m\u00f3dulo de complemento eventmesh-meta-raft en la rama maestra Apache EventMesh sin versi\u00f3n de lanzamiento en plataformas Windows\\Linux\\Mac OS, por ejemplo, permite a los atacantes enviar mensajes controlados y ejecutar c\u00f3digo remoto a trav\u00e9s del protocolo RPC de deserializaci\u00f3n hessiana. Los usuarios pueden usar el c\u00f3digo en la rama maestra en el repositorio del proyecto o la versi\u00f3n 1.11.0 para solucionar este problema."
    }
  ],
  "id": "CVE-2024-56180",
  "lastModified": "2025-07-14T13:07:40.770",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.8,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.9,
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-02-14T14:15:32.267",
  "references": [
    {
      "source": "security@apache.org",
      "tags": [
        "Mailing List",
        "Vendor Advisory",
        "Issue Tracking"
      ],
      "url": "https://lists.apache.org/thread/k9fw0t5r7t1vbx53gs8d1r8c54rhx0wd"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://www.openwall.com/lists/oss-security/2025/02/14/7"
    }
  ],
  "sourceIdentifier": "security@apache.org",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-502"
        }
      ],
      "source": "security@apache.org",
      "type": "Secondary"
    }
  ]
}

cnvd-2025-05699

Vulnerability from cnvd

Title: Apache EventMesh反序列化漏洞（CNVD-2025-05699）

Description:

Apache EventMesh是美国阿帕奇（Apache）基金会的新一代无服务器事件中间件，用于构建分布式事件驱动应用程序。

Apache EventMesh 1.11.0之前版本存在反序列化漏洞，该漏洞源于应用程序在接收用户提交的序列化数据的不安全反序列化处理，攻击者可利用该漏洞通过hessian反序列化rpc协议发送受控消息和远程代码执行。

Severity: 高

Patch Name: Apache EventMesh反序列化漏洞（CNVD-2025-05699）的补丁

Patch Description:

Apache EventMesh是美国阿帕奇（Apache）基金会的新一代无服务器事件中间件，用于构建分布式事件驱动应用程序。

Apache EventMesh 1.11.0之前版本存在反序列化漏洞，该漏洞源于应用程序在接收用户提交的序列化数据的不安全反序列化处理，攻击者可利用该漏洞通过hessian反序列化rpc协议发送受控消息和远程代码执行。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description:

厂商已发布了漏洞修复程序，请及时关注更新： https://github.com/apache/eventmesh/releases/tag/v1.11.0

Reference: https://nvd.nist.gov/vuln/detail/CVE-2024-56180

Impacted products

Name
Apache Apache EventMesh <1.11.0

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2024-56180",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2024-56180"
    }
  },
  "description": "Apache EventMesh\u662f\u7f8e\u56fd\u963f\u5e15\u5947\uff08Apache\uff09\u57fa\u91d1\u4f1a\u7684\u65b0\u4e00\u4ee3\u65e0\u670d\u52a1\u5668\u4e8b\u4ef6\u4e2d\u95f4\u4ef6\uff0c\u7528\u4e8e\u6784\u5efa\u5206\u5e03\u5f0f\u4e8b\u4ef6\u9a71\u52a8\u5e94\u7528\u7a0b\u5e8f\u3002\n\nApache EventMesh 1.11.0\u4e4b\u524d\u7248\u672c\u5b58\u5728\u53cd\u5e8f\u5217\u5316\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u5e94\u7528\u7a0b\u5e8f\u5728\u63a5\u6536\u7528\u6237\u63d0\u4ea4\u7684\u5e8f\u5217\u5316\u6570\u636e\u7684\u4e0d\u5b89\u5168\u53cd\u5e8f\u5217\u5316\u5904\u7406\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u901a\u8fc7hessian\u53cd\u5e8f\u5217\u5316rpc\u534f\u8bae\u53d1\u9001\u53d7\u63a7\u6d88\u606f\u548c\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://github.com/apache/eventmesh/releases/tag/v1.11.0",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2025-05699",
  "openTime": "2025-03-25",
  "patchDescription": "Apache EventMesh\u662f\u7f8e\u56fd\u963f\u5e15\u5947\uff08Apache\uff09\u57fa\u91d1\u4f1a\u7684\u65b0\u4e00\u4ee3\u65e0\u670d\u52a1\u5668\u4e8b\u4ef6\u4e2d\u95f4\u4ef6\uff0c\u7528\u4e8e\u6784\u5efa\u5206\u5e03\u5f0f\u4e8b\u4ef6\u9a71\u52a8\u5e94\u7528\u7a0b\u5e8f\u3002\r\n\r\nApache EventMesh 1.11.0\u4e4b\u524d\u7248\u672c\u5b58\u5728\u53cd\u5e8f\u5217\u5316\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u5e94\u7528\u7a0b\u5e8f\u5728\u63a5\u6536\u7528\u6237\u63d0\u4ea4\u7684\u5e8f\u5217\u5316\u6570\u636e\u7684\u4e0d\u5b89\u5168\u53cd\u5e8f\u5217\u5316\u5904\u7406\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u901a\u8fc7hessian\u53cd\u5e8f\u5217\u5316rpc\u534f\u8bae\u53d1\u9001\u53d7\u63a7\u6d88\u606f\u548c\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Apache EventMesh\u53cd\u5e8f\u5217\u5316\u6f0f\u6d1e\uff08CNVD-2025-05699\uff09\u7684\u8865\u4e01",
  "products": {
    "product": "Apache Apache EventMesh \u003c1.11.0"
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2024-56180",
  "serverity": "\u9ad8",
  "submitTime": "2025-02-19",
  "title": "Apache EventMesh\u53cd\u5e8f\u5217\u5316\u6f0f\u6d1e\uff08CNVD-2025-05699\uff09"
}

ghsa-ffvr-gmp3-xx43

Vulnerability from github

Published

2025-02-14 15:31

Modified

2025-02-19 17:48

Severity ?

9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

Apache EventMesh: raft Hessian Deserialization Vulnerability allowing remote code execution

Details

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.eventmesh:eventmesh-meta-raft"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.10.1"
            },
            {
              "fixed": "1.11.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-56180"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-02-19T17:48:09Z",
    "nvd_published_at": "2025-02-14T14:15:32Z",
    "severity": "CRITICAL"
  },
  "details": "CWE-502 Deserialization of Untrusted Data at the eventmesh-meta-raft\u00a0plugin\u00a0module in Apache EventMesh master branch without release version on windows\\linux\\mac os e.g. platforms allows attackers to send controlled message and remote code execute\u00a0via hessian deserialization rpc protocol. Users can use the code under the master branch in project repo or version 1.11.0 to fix this issue.",
  "id": "GHSA-ffvr-gmp3-xx43",
  "modified": "2025-02-19T17:48:09Z",
  "published": "2025-02-14T15:31:05Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-56180"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/apache/eventmesh"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread/k9fw0t5r7t1vbx53gs8d1r8c54rhx0wd"
    },
    {
      "type": "WEB",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-56180"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2025/02/14/7"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Apache EventMesh: raft Hessian Deserialization Vulnerability allowing remote code execution"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

CVE-2024-56180 (GCVE-0-2024-56180)

Vulnerability from cvelistv5

fkie_cve-2024-56180

Vulnerability from fkie_nvd

cnvd-2025-05699

Vulnerability from cnvd

ghsa-ffvr-gmp3-xx43

Vulnerability from github

Tags

Sightings

Nomenclature