Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS12NmM4LXB3aHEtMjg4bc4AA1aE
Nacos Spring vulnerable to Unsafe Deserialization
An issue in Nacos Group Nacos Spring Project v.1.1.1 and before allows a remote attacker to execute arbitrary code via the SnakeYamls Constructor() component.
Permalink: https://github.com/advisories/GHSA-v6c8-pwhq-288mJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS12NmM4LXB3aHEtMjg4bc4AA1aE
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 9 months ago
Updated: 6 months ago
CVSS Score: 8.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-v6c8-pwhq-288m, CVE-2023-39106
References:
- https://nvd.nist.gov/vuln/detail/CVE-2023-39106
- https://github.com/nacos-group/nacos-spring-project/issues/314
- https://github.com/advisories/GHSA-v6c8-pwhq-288m
Blast Radius: 18.6
Affected Packages
maven:com.alibaba.nacos:nacos-spring-context
Dependent packages: 20Dependent repositories: 131
Downloads:
Affected Version Ranges: <= 1.1.1
No known fixed version
All affected versions: 0.3.0, 0.3.1, 0.3.3, 0.3.4, 0.3.5, 0.3.6, 1.0.0, 1.1.0, 1.1.1