Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS01ZnBxLTNjOXAtM3Izd84AA4E3
ShifuML shifu code injection vulnerability
A vulnerability has been found in ShifuML shifu 0.12.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file src/main/java/ml/shifu/shifu/core/DataPurifier.java of the component Java Expression Language Handler. The manipulation of the argument FilterExpression leads to code injection. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-249151.
Permalink: https://github.com/advisories/GHSA-5fpq-3c9p-3r3wJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS01ZnBxLTNjOXAtM3Izd84AA4E3
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 11 months ago
Updated: 11 months ago
CVSS Score: 5.0
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L
Identifiers: GHSA-5fpq-3c9p-3r3w, CVE-2023-7148
References:
- https://nvd.nist.gov/vuln/detail/CVE-2023-7148
- https://drive.google.com/file/d/1ST3dD-iwUBgBNZ8tGaBbqVi1zRh5rLND/view
- https://vuldb.com/?ctiid.249151
- https://vuldb.com/?id.249151
- https://github.com/ShifuML/shifu/blob/20f589158adfc011c505664cf7bdf31e36ed62fa/src/main/java/ml/shifu/shifu/core/DataPurifier.java
- https://github.com/advisories/GHSA-5fpq-3c9p-3r3w
Blast Radius: 0.0
Affected Packages
maven:ml.shifu:shifu
Dependent packages: 2Dependent repositories: 1
Downloads:
Affected Version Ranges: <= 0.12.0
No known fixed version
All affected versions: 0.10.0, 0.10.2, 0.10.3, 0.10.4, 0.10.5, 0.11.0, 0.11.1, 0.11.2, 0.12.0