CVE-2023-45146

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2023-45146

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-45146.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2023-45146

Aliases

GHSA-f984-3wx8-grp9

Published

2023-10-18T22:15:09Z

Modified

2024-09-03T04:34:20.086750Z

Severity

10.0 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

XXL-RPC is a high performance, distributed RPC framework. With it, a TCP server can be set up using the Netty framework and the Hessian serialization mechanism. When such a configuration is used, attackers may be able to connect to the server and provide malicious serialized objects that, once deserialized, force it to execute arbitrary code. This can be abused to take control of the machine the server is running by way of remote code execution. This issue has not been fixed.

References

https://securitylab.github.com/advisories/GHSL-2023-052_XXL-RPC/

Affected packages

Git / github.com/xuxueli/xxl-rpc

Affected ranges

Type: GIT
Repo: https://github.com/xuxueli/xxl-rpc
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Last affected

cee39e90449c34602e2ba70a845af9a913dce20f

Affected versions

1.*

1.4.0

1.4.1

1.4.2

1.5.0

1.7.0

v1.*

v1.0.1

v1.0.1M

v1.2.0

v1.2.1

v1.2.2

v1.3.0

v1.3.1

v1.3.2

v1.6.0