Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1majhmLTU2d2MtcTM2cs4AA0u5
rabbitmq-connector plugin module in Apache EventMesh platforms allows attackers to send controlled message
CWE-502 Deserialization of Untrusted Data at the rabbitmq-connector plugin module in Apache EventMesh (incubating) V1.7.0\V1.8.0 on windows\linux\mac os e.g. platforms allows attackers to send controlled message and
remote code execute via rabbitmq messages. Users can use the code under the master branch in project repo to fix this issue, the new version is set to be released as soon as possible.
Permalink: https://github.com/advisories/GHSA-fj8f-56wc-q36rJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1majhmLTU2d2MtcTM2cs4AA0u5
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: over 1 year ago
Updated: about 1 year ago
CVSS Score: 9.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Percentage: 0.00695
EPSS Percentile: 0.80827
Identifiers: GHSA-fj8f-56wc-q36r, CVE-2023-26512
References:
- https://nvd.nist.gov/vuln/detail/CVE-2023-26512
- https://lists.apache.org/thread/zb1d62wh8o8pvntrnx4t1hj8vz0pm39p
- https://github.com/advisories/GHSA-fj8f-56wc-q36r
Affected Packages
maven:org.apache.eventmesh:eventmesh-connector-rabbitmq
Dependent packages: 0Dependent repositories: 0
Downloads:
Affected Version Ranges: >= 1.7.0, <= 1.8.0
No known fixed version
All affected versions: