Bug ID 1213660
Summary VUL-0: CVE-2023-38647: helix: Deserialization vulnerability in Helix workflow and REST
Classification openSUSE
Product openSUSE Distribution
Version Leap 15.5
Hardware Other
URL https://smash.suse.de/issue/373380/
OS Other
Status NEW
Severity Normal
Priority P5 - None
Component Other
Assignee socvirnyl.estela@gmail.com
Reporter gianluca.gabrielli@suse.com
QA Contact qa-bugs@suse.de
Target Milestone ---
Found By ---
Blocker --- 

Posted by Junkai Xue on Jul 25Severity: important

Affected versions:

- Apache Helix through 1.2.0

Description:

An attacker can use SnakeYAML to deserialize java.net.URLClassLoader and make
it load a JAR from a specified URL, and 
then deserialize javax.script.ScriptEngineManager to load code using that
ClassLoader. This unbounded deserialization 
can likely lead to remote code execution. The code can be run in Helix REST
start and Workflow creation.

Affect all the...

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-38647
https://seclists.org/oss-sec/2023/q3/73

You are receiving this mail because: