cvelistv5 - cve-2024-56180

CVE-2024-56180 (GCVE-0-2024-56180)

Vulnerability from cvelistv5 – Published: 2025-02-14 13:34 – Updated: 2025-02-18 15:10

Summary

CWE-502 Deserialization of Untrusted Data at the eventmesh-meta-raft plugin module in Apache EventMesh master branch without release version on windows\linux\mac os e.g. platforms allows attackers to send controlled message and remote code execute via hessian deserialization rpc protocol. Users can use the code under the master branch in project repo or version 1.11.0 to fix this issue.

Severity ?

No CVSS data available.

CWE

CWE-502 - Deserialization of Untrusted Data

Assigner

apache

References

URL

Tags

https://lists.apache.org/thread/k9fw0t5r7t1vbx53g…

vendor-advisory

Impacted products

	Vendor	Product	Version
	Apache Software Foundation	Apache EventMesh	Affected: 1.10.1 , < 1.11.0 (semver)

Credits

yulate Au5t1n h3h3qaq X1r0z

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-02-14T17:02:37.296Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2025/02/14/7"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 9.8,
              "baseSeverity": "CRITICAL",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-56180",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-18T15:09:26.643766Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-18T15:10:16.650Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://repo.maven.apache.org/maven2",
          "defaultStatus": "unaffected",
          "packageName": "org.apache.eventmesh:eventmesh-meta-raft",
          "product": "Apache EventMesh",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThan": "1.11.0",
              "status": "affected",
              "version": "1.10.1",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "yulate"
        },
        {
          "lang": "en",
          "type": "reporter",
          "value": "Au5t1n"
        },
        {
          "lang": "en",
          "type": "reporter",
          "value": "h3h3qaq"
        },
        {
          "lang": "en",
          "type": "reporter",
          "value": "X1r0z"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eCWE-502 Deserialization of Untrusted Data at the eventmesh-meta-raft\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;plugin\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;module in Apache EventMesh master branch without release version on windows\\linux\\mac os e.g. platforms allows attackers to send controlled message and \u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eremote code execute\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;via hessian d\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eeserialization rpc protocol\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e. Users can use the code under the master branch in project repo or version 1.11.0 to fix this issue.\u003c/span\u003e\u003cbr\u003e"
            }
          ],
          "value": "CWE-502 Deserialization of Untrusted Data at the eventmesh-meta-raft\u00a0plugin\u00a0module in Apache EventMesh master branch without release version on windows\\linux\\mac os e.g. platforms allows attackers to send controlled message and remote code execute\u00a0via hessian deserialization rpc protocol. Users can use the code under the master branch in project repo or version 1.11.0 to fix this issue."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "text": "moderate"
            },
            "type": "Textual description of severity"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-502",
              "description": "CWE-502 Deserialization of Untrusted Data",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-02-14T15:27:57.229Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.apache.org/thread/k9fw0t5r7t1vbx53gs8d1r8c54rhx0wd"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Apache EventMesh: raft Hessian Deserialization Vulnerability allowing remote code execution",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2024-56180",
    "datePublished": "2025-02-14T13:34:26.600Z",
    "dateReserved": "2024-12-18T07:46:43.781Z",
    "dateUpdated": "2025-02-18T15:10:16.650Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-56180\",\"sourceIdentifier\":\"security@apache.org\",\"published\":\"2025-02-14T14:15:32.267\",\"lastModified\":\"2025-07-14T13:07:40.770\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"CWE-502 Deserialization of Untrusted Data at the eventmesh-meta-raft\u00a0plugin\u00a0module in Apache EventMesh master branch without release version on windows\\\\linux\\\\mac os e.g. platforms allows attackers to send controlled message and remote code execute\u00a0via hessian deserialization rpc protocol. Users can use the code under the master branch in project repo or version 1.11.0 to fix this issue.\"},{\"lang\":\"es\",\"value\":\"CWE-502 La deserializaci\u00f3n de datos no confiables en el m\u00f3dulo de complemento eventmesh-meta-raft en la rama maestra Apache EventMesh sin versi\u00f3n de lanzamiento en plataformas Windows\\\\Linux\\\\Mac OS, por ejemplo, permite a los atacantes enviar mensajes controlados y ejecutar c\u00f3digo remoto a trav\u00e9s del protocolo RPC de deserializaci\u00f3n hessiana. Los usuarios pueden usar el c\u00f3digo en la rama maestra en el repositorio del proyecto o la versi\u00f3n 1.11.0 para solucionar este problema.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security@apache.org\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-502\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:eventmesh:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"1.10.1\",\"versionEndExcluding\":\"1.11.0\",\"matchCriteriaId\":\"55CDF7A9-8EB7-43F5-B892-61114CE8669D\"}]}]}],\"references\":[{\"url\":\"https://lists.apache.org/thread/k9fw0t5r7t1vbx53gs8d1r8c54rhx0wd\",\"source\":\"security@apache.org\",\"tags\":[\"Mailing List\",\"Vendor Advisory\",\"Issue Tracking\"]},{\"url\":\"http://www.openwall.com/lists/oss-security/2025/02/14/7\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"http://www.openwall.com/lists/oss-security/2025/02/14/7\"}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2025-02-14T17:02:37.296Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 9.8, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-56180\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-02-18T15:09:26.643766Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-02-18T15:09:53.488Z\"}}], \"cna\": {\"title\": \"Apache EventMesh: raft Hessian Deserialization Vulnerability allowing remote code execution\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"reporter\", \"value\": \"yulate\"}, {\"lang\": \"en\", \"type\": \"reporter\", \"value\": \"Au5t1n\"}, {\"lang\": \"en\", \"type\": \"reporter\", \"value\": \"h3h3qaq\"}, {\"lang\": \"en\", \"type\": \"reporter\", \"value\": \"X1r0z\"}], \"metrics\": [{\"other\": {\"type\": \"Textual description of severity\", \"content\": {\"text\": \"moderate\"}}}], \"affected\": [{\"vendor\": \"Apache Software Foundation\", \"product\": \"Apache EventMesh\", \"versions\": [{\"status\": \"affected\", \"version\": \"1.10.1\", \"lessThan\": \"1.11.0\", \"versionType\": \"semver\"}], \"packageName\": \"org.apache.eventmesh:eventmesh-meta-raft\", \"collectionURL\": \"https://repo.maven.apache.org/maven2\", \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://lists.apache.org/thread/k9fw0t5r7t1vbx53gs8d1r8c54rhx0wd\", \"tags\": [\"vendor-advisory\"]}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"CWE-502 Deserialization of Untrusted Data at the eventmesh-meta-raft\\u00a0plugin\\u00a0module in Apache EventMesh master branch without release version on windows\\\\linux\\\\mac os e.g. platforms allows attackers to send controlled message and remote code execute\\u00a0via hessian deserialization rpc protocol. Users can use the code under the master branch in project repo or version 1.11.0 to fix this issue.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003eCWE-502 Deserialization of Untrusted Data at the eventmesh-meta-raft\u003c/span\u003e\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003e\u0026nbsp;plugin\u003c/span\u003e\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003e\u0026nbsp;module in Apache EventMesh master branch without release version on windows\\\\linux\\\\mac os e.g. platforms allows attackers to send controlled message and \u003c/span\u003e\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003eremote code execute\u003c/span\u003e\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003e\u0026nbsp;via hessian d\u003c/span\u003e\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003eeserialization rpc protocol\u003c/span\u003e\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003e. Users can use the code under the master branch in project repo or version 1.11.0 to fix this issue.\u003c/span\u003e\u003cbr\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-502\", \"description\": \"CWE-502 Deserialization of Untrusted Data\"}]}], \"providerMetadata\": {\"orgId\": \"f0158376-9dc2-43b6-827c-5f631a4d8d09\", \"shortName\": \"apache\", \"dateUpdated\": \"2025-02-14T15:27:57.229Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-56180\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-02-18T15:10:16.650Z\", \"dateReserved\": \"2024-12-18T07:46:43.781Z\", \"assignerOrgId\": \"f0158376-9dc2-43b6-827c-5f631a4d8d09\", \"datePublished\": \"2025-02-14T13:34:26.600Z\", \"assignerShortName\": \"apache\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

CNVD-2025-05699

Vulnerability from cnvd - Published: 2025-03-25

Title

Apache EventMesh反序列化漏洞（CNVD-2025-05699）

Description

Apache EventMesh是美国阿帕奇（Apache）基金会的新一代无服务器事件中间件，用于构建分布式事件驱动应用程序。 Apache EventMesh 1.11.0之前版本存在反序列化漏洞，该漏洞源于应用程序在接收用户提交的序列化数据的不安全反序列化处理，攻击者可利用该漏洞通过hessian反序列化rpc协议发送受控消息和远程代码执行。

Severity

高

Patch Name

Apache EventMesh反序列化漏洞（CNVD-2025-05699）的补丁

Patch Description

Formal description

厂商已发布了漏洞修复程序，请及时关注更新： https://github.com/apache/eventmesh/releases/tag/v1.11.0

Reference

https://nvd.nist.gov/vuln/detail/CVE-2024-56180

Impacted products

Name
Apache Apache EventMesh <1.11.0

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2024-56180",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2024-56180"
    }
  },
  "description": "Apache EventMesh\u662f\u7f8e\u56fd\u963f\u5e15\u5947\uff08Apache\uff09\u57fa\u91d1\u4f1a\u7684\u65b0\u4e00\u4ee3\u65e0\u670d\u52a1\u5668\u4e8b\u4ef6\u4e2d\u95f4\u4ef6\uff0c\u7528\u4e8e\u6784\u5efa\u5206\u5e03\u5f0f\u4e8b\u4ef6\u9a71\u52a8\u5e94\u7528\u7a0b\u5e8f\u3002\n\nApache EventMesh 1.11.0\u4e4b\u524d\u7248\u672c\u5b58\u5728\u53cd\u5e8f\u5217\u5316\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u5e94\u7528\u7a0b\u5e8f\u5728\u63a5\u6536\u7528\u6237\u63d0\u4ea4\u7684\u5e8f\u5217\u5316\u6570\u636e\u7684\u4e0d\u5b89\u5168\u53cd\u5e8f\u5217\u5316\u5904\u7406\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u901a\u8fc7hessian\u53cd\u5e8f\u5217\u5316rpc\u534f\u8bae\u53d1\u9001\u53d7\u63a7\u6d88\u606f\u548c\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://github.com/apache/eventmesh/releases/tag/v1.11.0",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2025-05699",
  "openTime": "2025-03-25",
  "patchDescription": "Apache EventMesh\u662f\u7f8e\u56fd\u963f\u5e15\u5947\uff08Apache\uff09\u57fa\u91d1\u4f1a\u7684\u65b0\u4e00\u4ee3\u65e0\u670d\u52a1\u5668\u4e8b\u4ef6\u4e2d\u95f4\u4ef6\uff0c\u7528\u4e8e\u6784\u5efa\u5206\u5e03\u5f0f\u4e8b\u4ef6\u9a71\u52a8\u5e94\u7528\u7a0b\u5e8f\u3002\r\n\r\nApache EventMesh 1.11.0\u4e4b\u524d\u7248\u672c\u5b58\u5728\u53cd\u5e8f\u5217\u5316\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u5e94\u7528\u7a0b\u5e8f\u5728\u63a5\u6536\u7528\u6237\u63d0\u4ea4\u7684\u5e8f\u5217\u5316\u6570\u636e\u7684\u4e0d\u5b89\u5168\u53cd\u5e8f\u5217\u5316\u5904\u7406\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u901a\u8fc7hessian\u53cd\u5e8f\u5217\u5316rpc\u534f\u8bae\u53d1\u9001\u53d7\u63a7\u6d88\u606f\u548c\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Apache EventMesh\u53cd\u5e8f\u5217\u5316\u6f0f\u6d1e\uff08CNVD-2025-05699\uff09\u7684\u8865\u4e01",
  "products": {
    "product": "Apache Apache EventMesh \u003c1.11.0"
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2024-56180",
  "serverity": "\u9ad8",
  "submitTime": "2025-02-19",
  "title": "Apache EventMesh\u53cd\u5e8f\u5217\u5316\u6f0f\u6d1e\uff08CNVD-2025-05699\uff09"
}

GHSA-FFVR-GMP3-XX43

Vulnerability from github – Published: 2025-02-14 15:31 – Updated: 2025-02-19 17:48

Summary

Apache EventMesh: raft Hessian Deserialization Vulnerability allowing remote code execution

Details

Severity ?

9.8 (Critical)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.eventmesh:eventmesh-meta-raft"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.10.1"
            },
            {
              "fixed": "1.11.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-56180"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-02-19T17:48:09Z",
    "nvd_published_at": "2025-02-14T14:15:32Z",
    "severity": "CRITICAL"
  },
  "details": "CWE-502 Deserialization of Untrusted Data at the eventmesh-meta-raft\u00a0plugin\u00a0module in Apache EventMesh master branch without release version on windows\\linux\\mac os e.g. platforms allows attackers to send controlled message and remote code execute\u00a0via hessian deserialization rpc protocol. Users can use the code under the master branch in project repo or version 1.11.0 to fix this issue.",
  "id": "GHSA-ffvr-gmp3-xx43",
  "modified": "2025-02-19T17:48:09Z",
  "published": "2025-02-14T15:31:05Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-56180"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/apache/eventmesh"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread/k9fw0t5r7t1vbx53gs8d1r8c54rhx0wd"
    },
    {
      "type": "WEB",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-56180"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2025/02/14/7"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Apache EventMesh: raft Hessian Deserialization Vulnerability allowing remote code execution"
}

FKIE_CVE-2024-56180

Vulnerability from fkie_nvd - Published: 2025-02-14 14:15 - Updated: 2025-07-14 13:07

Severity ?

9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

References

	URL	Tags
	security@apache.org	https://lists.apache.org/thread/k9fw0t5r7t1vbx53gs8d1r8c54rhx0wd	Mailing List, Vendor Advisory, Issue Tracking
	af854a3a-2127-422b-91ae-364da2661108	http://www.openwall.com/lists/oss-security/2025/02/14/7	Mailing List, Third Party Advisory

Impacted products

	Vendor	Product	Version
	apache	eventmesh	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:apache:eventmesh:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "55CDF7A9-8EB7-43F5-B892-61114CE8669D",
              "versionEndExcluding": "1.11.0",
              "versionStartIncluding": "1.10.1",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "CWE-502 Deserialization of Untrusted Data at the eventmesh-meta-raft\u00a0plugin\u00a0module in Apache EventMesh master branch without release version on windows\\linux\\mac os e.g. platforms allows attackers to send controlled message and remote code execute\u00a0via hessian deserialization rpc protocol. Users can use the code under the master branch in project repo or version 1.11.0 to fix this issue."
    },
    {
      "lang": "es",
      "value": "CWE-502 La deserializaci\u00f3n de datos no confiables en el m\u00f3dulo de complemento eventmesh-meta-raft en la rama maestra Apache EventMesh sin versi\u00f3n de lanzamiento en plataformas Windows\\Linux\\Mac OS, por ejemplo, permite a los atacantes enviar mensajes controlados y ejecutar c\u00f3digo remoto a trav\u00e9s del protocolo RPC de deserializaci\u00f3n hessiana. Los usuarios pueden usar el c\u00f3digo en la rama maestra en el repositorio del proyecto o la versi\u00f3n 1.11.0 para solucionar este problema."
    }
  ],
  "id": "CVE-2024-56180",
  "lastModified": "2025-07-14T13:07:40.770",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.8,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.9,
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-02-14T14:15:32.267",
  "references": [
    {
      "source": "security@apache.org",
      "tags": [
        "Mailing List",
        "Vendor Advisory",
        "Issue Tracking"
      ],
      "url": "https://lists.apache.org/thread/k9fw0t5r7t1vbx53gs8d1r8c54rhx0wd"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://www.openwall.com/lists/oss-security/2025/02/14/7"
    }
  ],
  "sourceIdentifier": "security@apache.org",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-502"
        }
      ],
      "source": "security@apache.org",
      "type": "Secondary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2024-56180 (GCVE-0-2024-56180)

CNVD-2025-05699

GHSA-FFVR-GMP3-XX43

FKIE_CVE-2024-56180

Tags

Sightings

Nomenclature