GHSA-2gh6-wc3m-g37f
Suggest an improvement- Source
- https://github.com/advisories/GHSA-2gh6-wc3m-g37f
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/09/GHSA-2gh6-wc3m-g37f/GHSA-2gh6-wc3m-g37f.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-2gh6-wc3m-g37f
- Published
- 2024-09-17T19:29:24Z
- Modified
- 2024-12-07T05:38:27.749613Z
- Severity
-
- 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- 9.3 (Critical) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- hermes-management is vulnerable to RCE due to Apache commons-jxpath
- Details
-
Impact
hermes-management is vulnerable to RCE when it processes user-controlled data due to using Apache commons-jxpath.
Patches
Upgrade Hermes to at least hermes-2.2.9
References
https://hackinglab.cz/en/blog/remote-code-execution-in-jxpath-library-cve-2022-41852/
- Database specific
{ "nvd_published_at": null, "github_reviewed_at": "2024-09-17T19:29:24Z", "cwe_ids": [ "CWE-1395" ], "severity": "CRITICAL", "github_reviewed": true }- References
Affected packages
Maven / pl.allegro.tech.hermes:hermes-management
Package
- Name
- pl.allegro.tech.hermes:hermes-management
- View open source insights on deps.dev
- Purl
- pkg:maven/pl.allegro.tech.hermes/hermes-management
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed2.2.9
Affected versions
0.*
0.7.2
0.7.3
0.7.4
0.7.5
0.7.6
0.8.0
0.8.1
0.8.2-rc1
0.8.2-rc2
0.8.2
0.8.3
0.8.3-batch-delivery
0.8.3-hotfix1
0.8.4
0.8.5
0.8.5-hotfix1
0.8.5-hotfix2
0.8.6
0.8.6-hotfix1
0.8.6-hotfix2
0.8.6-hotfix3
0.8.6-hotfix4
0.8.6-hotfix5
0.8.7
0.8.7-hotfix1
0.8.8
0.8.9
0.8.10
0.8.10-hotfix1
0.8.10-hotfix2
0.8.11
0.8.12
0.9.0
0.9.1
0.9.2
0.9.3
0.10.0
0.10.1
0.10.2
0.10.3
0.10.4
0.10.5
0.10.6
0.11.0
0.11.1
0.11.2
0.11.3
0.11.4
0.12.0
0.12.1
0.12.2
0.12.3
0.12.4
0.12.5
0.12.6
0.12.7
0.12.8
0.12.9
0.12.10
0.13.0
0.13.1
0.13.2
0.13.3
0.13.4
0.13.5
0.14.0
0.15.0
0.15.1
0.15.2
0.15.3
0.15.4
0.15.5
0.15.6
0.15.7
0.15.8
0.15.9
0.15.10-enable-setting-idle-connection-timeout-for-jetty-client
0.16.0
0.16.1
0.16.2
1.*
1.0.0
1.0.1
1.0.2
1.0.3
1.0.4
1.0.5
1.0.6
1.0.7
1.1.0
1.1.2
1.2.0
1.2.1
1.2.2
1.2.3
1.2.4
1.2.5
1.3.0
1.3.1
1.3.2
1.3.3
1.3.4
1.3.5
1.4.0
1.4.1
1.4.2
1.4.3
1.4.4
1.4.5
1.4.6
1.4.7
1.4.8
1.4.9
1.4.10
1.4.11
1.4.12
1.4.13
1.4.14
1.5.0
1.5.1
1.5.2
1.5.3
1.5.4
1.6.0
1.6.1
1.6.2
1.7.0
1.8.0
1.8.1
1.8.2
1.8.3
1.8.4
1.8.5
1.8.6
1.8.6-batch-exceptions-logging
1.8.7
1.8.8
1.8.9
1.9.0
1.9.1
1.9.2
1.9.3
1.9.4
1.9.5-management-restTemplate-bean-for-EventAuditor
1.9.6
1.9.7
1.9.8
1.9.9
1.9.10
1.9.11
1.9.12
1.9.13
1.9.14
1.9.15
1.10.0
1.10.1
1.10.2
1.11.0
1.11.1
1.11.2
1.12.0
1.12.1
1.12.2
1.12.3
1.12.4
1.13.0
1.14.0
1.14.1
2.*
2.0.0
2.1.0
2.1.1
2.1.2
2.1.3
2.1.4
2.1.5
2.1.6
2.2.0
2.2.1
2.2.2
2.2.3
2.2.4
2.2.5
2.2.6
2.2.7
2.2.8