oss-security - CVE-2024-56180: Apache EventMesh: raft Hessian Deserialization Vulnerability allowing remote code execution

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [day] [month] [year] [list]

Message-ID: <1526e64d-6ff0-bf7a-962d-4fa92aaa97e3@apache.org>
Date: Fri, 14 Feb 2025 11:53:11 +0000
From: Xue Weiming <mikexue@...che.org>
To: oss-security@...ts.openwall.com
Subject: CVE-2024-56180: Apache EventMesh: raft Hessian Deserialization
 Vulnerability allowing remote code execution 

Severity: moderate

Affected versions:

- Apache EventMesh unaffected

Description:

CWE-502 Deserialization of Untrusted Data at the eventmesh-meta-raft plugin module in Apache EventMesh master branch without release version on windows\linux\mac os e.g. platforms allows attackers to send controlled message and remote code execute via hessian deserialization rpc protocol. Users can use the code under the master branch in project repo or version 1.11.0-release to fix this issue.

Credit:

yulate (reporter)
Au5t1n (reporter)
h3h3qaq (reporter)
X1r0z (reporter)

References:

https://eventmesh.apache.org
https://www.cve.org/CVERecord?id=CVE-2024-56180

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.